Hello,

This is the continuation question from the post here:
viewtopic.php?t=165532

Which is pretty much has been solved before. However, now I am facing another challenge on this. The ISP that I am using has very bad connection when connecting to the CHR server on City A, it gives slow throughput and slower speed. On the other hand, connecting to CHR on City B is good, faster speed and lower latency. What I would like to accomplish to have L2TP VPN using BCP, but using CHR City B as middle man in the process when creating tunnel. Please see the image below:

https://imgur.com/qPX3QiV Please advise how to configure this on Mikrotik CHR City A, City B and Mikrotik on Premise

Thank you so much for helping me out before

It is sufficient to use dst-nat (port forwarding) on City B CHR to redirect the L2TP connections coming to its public address from the client to the public address of the City A CHR, and src-nat these requests so that the City A CHR would send the responses back to City B CHR. Depending on whether you use plaintext L2TP or an IPsec encrypted one, you will have to forward one or two ports.

So assuming that the public IP of City A CHR is a.a.a.a and the public IP of City B CHR is b.b.b.b, and you use IPsec-encrypted L2TP, you would

• change nothing in the CHR A configuration
• change the connect-to address on the /interface l2tp-client row at the LTE device from a.a.a.a to b.b.b.b
• set the following NAT rules on CHR B:
  /ip firewall nat
  add chain=srcnat out-interface=ether1 dst-address=a.a.a.a protocol=udp action=src-nat to-addresses=b.b.b.b
  add chain=dstnat in-interface=ether1 dst-address=b.b.b.b protocol=udp dst-port=500,4500 action=dst-nat to-addresses=a.a.a.a

I only concentrate on the topic-related setup at CHR B. Of yourse you need to complete the basic setup first, i.e. put some firewall filter rules to chain input to protect the CHR from unauthorized remote access and configure the IP address and default route (or set up the DHCP client to take care of that).

If you do not use IPsec-protected L2TP, just change the dst-port value from 500,4500 to 1701. The grey part of the other rule is optional - if CHR B has no other purpose, you can omit that.

I forgot to clarify something in my previous post. Thanks anyway for responding

The IP address on CHR City B is being delivered straight to Mikrotik on premise. So when Mikrotik on premise dial L2TP VPN, It will be getting IP Public straight from CHR City B using L2TP BCP method. What I am trying to accomplish is, using the same layer 2 method to deliver IP Public from City B through City A CHR. Port forwarding only happened on Mikrotik on premise, since it is the only Mikrotik that will be getting IP Public and port forward to internal LAN behind it.

Thank you

Sorry, I've thought I've understood the description properly so I didn't bother to consent with imgur's cookie policy to see the drawing. Did you know that you can place an image directly to the forum site so there is no need to help 3rd parties with their advertising business? When creating/editing a post, there is an "attachments" tab below the editing window, and you can upload an image there and place a reference to it into the text of the post.

But the only actual damage done is that I have swapped the roles of A and B in the scheme - the existing setup is the LTE Tik and CHR B, and you want to insert CHR A into it, right? (see from where my confusion came)? So the forwarding of port 1701 or of ports 500 & 4500 will be done on the additional CHR A, and CHR B will remain unchanged.

The port forwarding on CHR A does not substitute the port forwarding on the LTE Tik - it is used solely to enforce the network path of the VPN transport packets.

Let me add more information to make it more accurate. I am sorry for not providing accurate information

The IP address on City B is 129.90.90.2/24. The normal setup, mikrotik on premise will dial L2TP and getting IP address from the City B range which would be 129.90.90.3 on L2TP interface. However, the direct connection from on premise to City B is not good, so I have to relay the L2TP to City A in order to get better connectivity. However, I couldn't figure out on how to get the IP address delivered to L2TP dial on Mikrotik on-premise via layer 2. The port forwarding will happen on premise, since the on premise mikrotik will be getting IP Public from City B IP range.

I tried before was dialing create 2 LT2P connection. First L2TP is to connect to City A, then 2nd L2TP would be connect to City B, via City A L2TP tunnel. I just don't like the result as it creates more overhead which degrading the performance, especially the CHR doesn't have very good processor when handling too large bandwidth.

Thank you

I think I do understand what you want. My suggestion keeps the L2TP tunnel between the on-premise Mikrotik as a client and City B Mikrotik as a server; the CHR in City A doesn't serve as neither an L2TP client nor an L2TP server. The only thing it does is that it forwards the L2TP transport/control packets received from the on-premises Mikrotik further to 129.90.90.2 thanks to the dst-nat rule, and makes the CHR in City B send response packets to itself (the CHR in City A) thanks to the src-nat rule. So it acts as a simple router with NAT and its sole purpose it to force the networ path between the client and the server to be the "good" indirect one rather than the "bad" direct one.

I think the City A forwarding L2TP traffic is good idea, how to accomplish that on City A CHR settings and on premise, when dialing L2TP, which IP should be use to dialing L2TP, is it CHR City A or CHR City B IP Public?

Thank you

Everything as stated in post #2, except that you swap the roles of CHR A and CHR B.