Hi everyone,

I have 2 Mikrotik routers in different data centers with the following specifications:
Router A

• RouterOS 6.49.6

• WAN int: ether2

• Public IP: a.a.a.a

• IP Pool 192.168.200.0/24

• L2TP/IPSec PSK with an assigned range of IP from the pool

Router B

• RouterOS 7.2.1

• WAN int: ether1

• Public IP: b.b.b.b

I would like to set up an IP-IP tunnel between the two and have the traffic of all users who connect to router A go through router B. For that, I have done the following steps with help from others:
1. Router B> create an ipip int
2. Router B> assign an IP address of 10.40.40.1 bound to ipip int
3. Router A> create an ipip int
4. Router A> assign an IP address of 10.40.40.2 bound to ipip int
5. Router A>NAT> in srcnat chain the action of src-nat to address b.b.b.b
6. Router A>Mangle> in prerouting chain from src address 192.168.200.0/24 to any destination but local, the action of route to 10.40.40.1 with passthrough enabled
7. Router B>NAT> in srcnat chain the action of src-nat to address b.b.b.b
8. Router B>NAT> in srcnat chain the action of src-nat to address a.a.a.a

Now, we have traffic sent from router A to B, but no traffic in the other direction (which means even the google website is not accessible for L2TP clients on router A). last night I got it to work with help from a friend, but apparently didn't download the backup from router A and now the settings are lost. So that's one of the issues that I need help with. The other is when the last time it was working L2TP clients of router A could see router B IP when looking up their own public IP, but could not use applications that are accessible from router B such as YouTube or Miro.

Thanks in advance for any kind soul that could help

Few things:

- Both 10.40.40.x must have some sane mask (e.g. /30 or /24)
- Step 5 is wrong, only srcnat that could make sense here would use 10.40.40.2. But it's even better to not add it at all, and instead add route on router B to 192.168.200.0/24 with 10.40.40.2 (router A) as gateway.
- Step 8 is nonsense and not needed.

Thank you so much, I will try out the tips and post an update!

There is no need to NAT the traffic it will automatically NAT when it goes from private IP's to the public IP
You just IP route them so stop at step 4

Now on router A send all traffic that isn't local connected thru the IP tunnel to router B /
On router B send all traffic destined for router A back to it thru the tunnel /
Job done

FYI router B network should be different so say
192.168.201.0/24
You also need to masquerade both Network ranges on router B because both ranges leave that router to the public IP of router B

If VPN clients are supposed to be connecting from internet to router A, you can't add unconditional default route pointing to router B like this.

The VPN traffic will either in the specific network or worse case you can mangle mark it as it enters a.a.a.a
Either way it will have a tighter network or router mark and won't end up on the 0.0.0.0/0 default route
Need a bit more detail of VPN setup to work that thru all we know at the moment is

>>> L2TP/IPSec PSK with an assigned range of IP from the pool

Usually when you setup like this you are remoting in on a small feed but the other site has a large feed which
is why you want the internet from it. I use a VPN to RDP to machine on my woeful 25Mb home link to use the
office 1GB link all the time

I meant the tunnels themselves, IPSec packets between clients in internet and router A. If I'm client x.x.x.x and I'm connecting to server a.a.a.a, this traffic needs to use a.a.a.a's internet connection. If you handle it with routing marks or rules, then fine, it will work. But you didn't mention it before.

In most cases when you setup the VPN tunnel it will add the specific route dynamically
In the mode he is using L2TP/IPSec he should have had to set dynamic end points in policies and those dynamic endpoints will end up in the route table .. its automatic
Generally the VPN traffic is the last thing you have to worry about because it's on a very specific route (usually a /30) and most setups on the tik they do it all for you

They usually end up looking like this .. Dynamic, Active, Connected

Well, routes for addresses inside tunnels, sure. But what about those outside, transport packets (in this case ESP used by IPSec, or wrapped in UDP if there's NAT traversal)? I don't use L2TP/IPSec often, so you made me doubt myself and I had to try it, and it doesn't seem that server is adding any routes for those.