Community discussions

MikroTik App
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Mikrotik - Enable Split Tunnel on L2TP VPN

Sun Feb 28, 2021 5:10 pm

Hi Experts

How do I enable Split Tunneling on Mikrotik. I have implemented L2TP VPN, no pre-shared key
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Mikrotik - Enable Split Tunnel on L2TP VPN

Mon Mar 01, 2021 11:04 am

IP address that router will be giving out to L2TP connections should be within the same subnet as all other local users, and when configuring the windows client (in Networking->IPv4->Properties->Advanced) clear "Use default gateway on remote network"...

nothing else..
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: Mikrotik - Enable Split Tunnel on L2TP VPN

Mon Mar 01, 2021 2:38 pm

Hi satman1w

If I click clear Use default gateway on remote network, then I can access or ping my internal network
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Mikrotik - Enable Split Tunnel on L2TP VPN

Mon Mar 01, 2021 7:55 pm

If you clear "Use default gateway on remote network", only the traffic destined to remote subnet will be routed through tunnel and the rest will stay the same as before. So you will be able to ping your network and all other traffic will be routed will be router through your default gateway...
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Mikrotik - Enable Split Tunnel on L2TP VPN

Tue Mar 02, 2021 2:50 am

L2TP VPN is a PPP style protocol in which the IP handed out is not a subnet but a /32 technically - so no broadcast and ARP learning exists, and the client machine does not generally enable a route for the remote subnet.

If you clear use remote default gateway - you'll need to add routes specifically to be used on the VPN - this can be done locally on the client device, and there are different ways (with differing success) to advertise remote routes via VPN as well - none that I've had too much success with (such as DHCP Options)
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Mikrotik - Enable Split Tunnel on L2TP VPN

Tue Mar 02, 2021 9:45 am

L2TP VPN is a PPP style protocol in which the IP handed out is not a subnet but a /32 technically - so no broadcast and ARP learning exists, and the client machine does not generally enable a route for the remote subnet.
route.png
...as you can see, L2TP interface is up and the auto route for remote network is added ...
You do not have the required permissions to view the files attached to this post.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: Mikrotik - Enable Split Tunnel on L2TP VPN

Thu Mar 02, 2023 1:38 pm

Disabling the remote default gateway works, but do not give-me the possibility of "say" to remote users (or remote-sites) ...
L2TP on RouterOS only allows assign IP Address to Remote clientes via IPCP.

If Mikrotik allows assign IP Address via DHCP, would be possible to:
- Do not send Option 3 to remote users.
- Use Option 121 to "teach" remote users what Networks they should come thought "this tunnel" to reach.

I'm not sure but is exactly that methodology that VPN-Server of Windows server does the split-vpn.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik - Enable Split Tunnel on L2TP VPN

Thu Mar 02, 2023 2:07 pm

Unfortunately such settings are a collection of non-standard manufacturer inventions, all incompatible with another.
It explains why all the time, new VPN protocols are invented that solve all problems, at least those that the inventor sees.
Still we (the users) are left with an inconvenient mess...

For example, now there is IKEv2 VPN. Is supposed to solve all these issues. And indeed, now you can set the routed subnets on the server side and the client receives them.
However, most implementations are broken and accept only ONE such route. When you advertise two, only one will work. Bummer.

Who is online

Users browsing this forum: abdullanetworking, Amazon [Bot], cmmike, Google [Bot], GoogleOther [Bot], mtkvvv and 52 guests