Hi,

I've looked at various articles/blogs/videos and am still running in to trouble configuration the RB4011 for both port forwarding and VPN from Macs.

For port forwarding, I've added the firewall allow (not sure it's correct) and the NAT. WAN IP x.x.x.x -> 192.168.3.116

For L2TP over IPSEC, the connection is failing the negotiation for a valid policy. The connecting clients are only Macs. I'm not sure that I have the DHCP pool correct for the VPN.

Attached is the configuration:
# mar/09/2021 22:06:11 by RouterOS 6.48.1
# software id = A5ME-4BSK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4400C07B66B
/interface bridge
add admin-mac=48:8F:5A:8C:E7:B1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge secondary-channel=auto ssid=MikroTik-8CE7BB \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-496873 wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether6 ] name=Publicworks
set [ find default-name=ether1 ] name=Spectrum
set [ find default-name=ether7 ] name=Students
set [ find default-name=ether8 ] name=Teachers
/interface l2tp-server
add name=Teachers-Binding user=TeacherVPN
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-128 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 \
enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-teachers ranges=192.168.3.150-192.168.3.250
add name=pool-publicworks ranges=192.168.1.100-192.168.1.200
add name=pool-student ranges=192.168.2.50-192.168.2.250
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-teachers disabled=no interface=Teachers name=\
DHCP-Teachers
add address-pool=pool-student disabled=no interface=Students name=\
DHCP-Students
add address-pool=pool-publicworks disabled=no interface=Publicworks name=\
DHCP-publicworks
/ppp profile
add bridge=bridge local-address=192.168.3.1 name=Teachers remote-address=\
pool-teachers
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip firewall connection tracking
set udp-timeout=5m
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=Teachers enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Spectrum list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=x.x.x.x/29 comment=WAN-Teachers interface=Spectrum network=\
x-net
add address=192.168.3.1/24 comment=LAN-Teachers interface=Teachers network=\
192.168.3.0
add address=192.168.1.1/24 comment=LAN-PublicWorks interface=Publicworks \
network=192.168.1.0
add address=192.168.2.1/24 comment=LAN-Students interface=Students network=\
192.168.2.0
/ip dhcp-client
add comment=defconf interface=Spectrum
/ip dhcp-server network
add address=192.168.1.0/24 comment=LAN-PublicWorks dns-server=8.8.4.4,1.1.1.1 \
gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=LAN-Students dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 comment=Teachers dns-server=8.8.8.8,1.1.1.1 \
gateway=192.168.3.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 list=not_in_internet
add address=172.16.0.0/12 list=not_in_internet
add address=192.168.0.0/16 list=not_in_internet
add address=10.0.0.0/8 list=not_in_internet
add address=169.254.0.0/16 list=not_in_internet
add address=127.0.0.0/8 list=not_in_internet
add address=198.18.0.0/15 list=not_in_internet
add address=224.0.0.0/4 list=not_in_internet
add address=192.0.0.0/24 list=not_in_internet
add address=198.51.100.0/24 list=not_in_internet
add address=203.0.113.0/24 list=not_in_internet
add address=100.64.0.0/10 list=not_in_internet
add address=240.0.0.0/4 list=not_in_internet
add address=192.88.99.0/24 list=not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="AFP allow" connection-nat-state=\
dstnat connection-state=established,related,new dst-port=548 \
in-interface=Spectrum log=yes protocol=tcp
add action=accept chain=input comment="VPN - teachers" in-interface=Spectrum \
log=yes protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=Spectrum \
log=yes protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec log=yes
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
established,related in-interface=Spectrum log=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
Spectrum log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=Spectrum
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=548 \
in-interface=Spectrum log=yes protocol=tcp to-addresses=192.168.3.116 \
to-ports=548
add action=src-nat chain=srcnat log=yes out-interface=Spectrum src-address=\
192.168.3.116 to-addresses=x.x.x.x
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=x.x.x.x-gw
/ip service
set ftp disabled=yes
/ppp secret
add name=TeacherVPN profile=Teachers
/system clock
set time-zone-name=America/Los_Angeles
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add topics=!debug
add topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN