I think I'm confused about the multiple meaning of "bridge". I used the "Quick Set" to do the initial setup and included "bridge all ports". When I then mess with the PPP/Profile, do I tell it to use the bridge?
If the client is Windows, you don't. You can only bridge together L2 interfaces, and the L2TP tunnel to the Windows client is only an L3 one. Between two Mikrotiks, you can create an L2 tunnel in parallel, and you can specify which bridges on the two Mikrotiks to link together using that tunnel, but that's not your case.
Also, there was an "allow ARP" box somewhere that I can't find now that I think was important.
You probably have in mind the proxy-arp
value of the arp
parameter of the bridge interface. This is only necessary if the IP address assigned to the L2TP client fits into the LAN subnet, because in that case, the LAN hosts think that the L2TP client is in the same subnet and use ARP to determine its MAC address to send the packets directly to it. So by setting arp=proxy-arp
on an interface, you make the router respond to ARP requests towards addresses in subnets connected to other interfaces with its own MAC address, so that the requestor would then send the IP traffic to the router and the router could deliver it.
As of right now, I can remotely access the router over the VPN, the router can ping private addresses on my bridge network, but I can't ping remotely which means I can't browse the network or use RDP.
This sounds as if you are really assigning addresses from the LAN subnet to the VPN clients, as stated above.
I've watched dozens of youtubes on the subject, and everyone does it differently.
That's no surprise. There are often many ways to do the same thing.
Update: I added LAN to my ppp/profile interfaces, and I'm now locked out, so I'll have to go into the office to put that back.
Sorry for this. It is always better to post the actual configuration rather than to refer to a "default" one - there is a different default configuration for almost every major release of RouterOS. But nevertheless I am surprised, because if the /interface list
LAN didn't exist, it should not have allowed you to set it in the ppp profile, and if it exists, I can see no reason why any
version of default firewall rules should lock you out. Does the L2TP connection establish or not?