Messy ... yeah I really need to do my MTCRE already
Well, maybe just "so unusual that a mere mortal cannot understand it without having additional context". Details below.
On the onsite router I have an L2 connection from the bridge to a Mikrotik router at our office as well as a L2 server for the client to connect directly.
Slow down. You mention "your router" (=the Tik we are currently dealing with), "clients router" (the one which provides "your router" with internet access"), and now you come with "onsite router".
And I feel as if you freely mixed "L2" and "L2TP". So is the L2 tunnel from the bridge on "your router" to your office provided using the L2TP session where the Tik in your office is an L2TP client and "your router" is the L2TP server, or is there anything else? Because you say you have
also "an L2 server for the client to connect directly", which suggests that the L2TP server on "your router" serves only one of these purposes.
The PPPoE is for once there is no direct internet access from inside the network.
My English is not good enough to be sure what this sentence means. Do you want to say that although the general goal is to prevent devices connected to the LAN side of "your router" from accessing the internet, you plan to permit some exceptions, and that these "privileged" devices will have to use a PPPoE client in order to get internet access because that way you can authenticate them? If so, you'll need an additional permissive rule in the firewall filter, accepting forward traffic which either matches
src-address matching the
/ip pool used for PPPoE clients, or matches
in-interface-list=some-nice-name if you add
interface-list=some-nice-name to the property list of the
/ppp profile used for PPPoE clients.
The PPPoE server issues from a different pool as the hosts in the current range is near depletion.
I have no problem with assigning the
remote-address (the client's one) to PPPoE clients from another
/ip pool than to L2TP clients in L3 mode. What I don't understand is why you use a pool instead of a single address as
local-address as I suspect (but have never tried that) that it means that you assign a new address at "your router" for each client connection, i.e. that each client connection takes two IPs from the pool, instead of just one for the client.
Also, by using the same pool for the DHCP server on bridge and for L2TP clients in L3 mode you may spend two addresses from that pool per connected client, one for the L2TP client side of the L3 tunnel and another one if the L2 tunnel has a DHCP client at L2TP client side.
The last firewall filter rule is a default, does that not simply drop connections from the WAN side that are not NATed? Ah ok, but I suppose once you remove the "WAN" In interface it will drop packets on the LAN side as well, correct?
Correct. A default rule is appropriate when the rest of the configuration stays default too; once you customize the default configuration to your needs, there is no reason not to customize the firewall rules too. If it makes you feel better, copy the rule, modify one of them (replace the comment with the irritatng word "default" in it with a more appropriate one, and remove the
in-interface=WAN and just disable the original one instead of removing it.