Community discussions

MikroTik App
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Help setting L2TP/IPSec 1700 MTU

Sun Mar 19, 2023 10:15 pm

Hi everyone. Just looking out for help on setting server/client L2TP over IPSec MTU on 1700 and pass all traffic on client side from L2TP. Current conf. below. TIA.


Server config
# mar/19/2023 22:09:52 by RouterOS 6.49.7
# software id = QXU3-9BSF
#
# model = RB750Gr3
# serial number = CC210FFC6E46
/interface bridge
add name=br-eth2
add name=br-eth3
add name=br-eth4
add name=br-eth5
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink from CTCPE" loop-protect=on \
    mtu=1596
set [ find default-name=ether2 ] comment="DCOS / R2 / 8P-Swich" loop-protect=\
    on loop-protect-disable-time=10m mtu=1596
set [ find default-name=ether3 ] comment=R3 loop-protect=on \
    loop-protect-disable-time=10m mtu=1596
set [ find default-name=ether4 ] comment=CCTV loop-protect=on \
    loop-protect-disable-time=10m mtu=1596
set [ find default-name=ether5 ] comment="Uplink to adu-1.hq.ckrcontrol.com" \
    l2mtu=1598 loop-protect=on loop-protect-disable-time=10m
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-ctfiber user=user
/interface l2tp-server
add name=l2tp-adu1hql2tp user=adu1hql2tp
add name=l2tp-adu1n02l2tp user=adu1n02l2tp
add disabled=yes name=l2tp-ckl2tp user=ckl2tp
add name=l2tp-hb535 user=hb535l2tp
/interface ovpn-server
add name=ovpn-ck user=chrisckr
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=62.152.4.xx/32 exchange-mode=ike2 name=ipsec-to-adu1.n02
/ip ipsec policy group
set [ find default=yes ] name=L2TP
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=OVPN-Pool ranges=10.1.1.2-10.1.1.254
add name=L2TP-Pool ranges=10.2.1.2-10.2.1.100
add name=vlan20_pool ranges=192.168.20.2-192.168.20.254
add name=vlan10_pool ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool_ether5 ranges=192.168.40.2
/ip dhcp-server
add address-pool=vlan20_pool disabled=no interface=br-eth3 lease-time=2h \
    name=br-ether3_dhcp
add address-pool=vlan10_pool disabled=no interface=br-eth2 lease-time=2h \
    name=br-ether2_dhcp
add address-pool=dhcp_pool_ether5 disabled=no interface=br-eth5 name=\
    br-ether5_dhcp
/ppp profile
set *0 change-tcp-mss=default
add local-address=10.1.1.1 name=OVPN remote-address=OVPN-Pool
add local-address=10.2.1.1 name=L2TP remote-address=L2TP-Pool
set *FFFFFFFE change-tcp-mss=default use-encryption=default
/queue simple
add burst-time=2s/2s max-limit=52M/205M name=vlan10_200/50 target=br-eth2
add burst-time=2s/2s max-limit=52M/205M name=vlan20_200/50 target=br-eth3
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=dcos_com_only_
/system logging action
add email-start-tls=yes email-to=christos322009@hotmail.com name=email \
    target=email
/interface bridge port
add bridge=br-eth3 hw=no interface=ether3 pvid=30
add bridge=br-eth2 interface=ether2
add bridge=br-eth5 interface=ether5
add bridge=br-eth4 interface=*24
add bridge=br-eth4 hw=no interface=ether4 pvid=40
/interface l2tp-server server
set default-profile=L2TP enabled=yes max-mru=1700 max-mtu=1700 \
    one-session-per-host=yes use-ipsec=required
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=OVPN enabled=\
    yes port=61194 require-client-certificate=yes
/ip address
add address=192.168.10.1/24 interface=br-eth2 network=192.168.10.0
add address=192.168.20.1/24 interface=br-eth3 network=192.168.20.0
add address=172.168.188.1/24 interface=ether2 network=172.168.188.0
add address=192.168.8.250/24 interface=ether2 network=192.168.8.0
add address=192.100.30.1/29 interface=br-eth4 network=192.100.30.0
add address=192.168.40.1/30 interface=br-eth5 network=192.168.40.0
/ip arp
add address=192.168.8.1 comment=LTE-Backup interface=br-eth2 mac-address=\
    E0:40:07:7F:1C:EF
add address=172.168.188.2 comment=DCOS interface=br-eth2 mac-address=\
    C4:34:6B:65:92:DA
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=10.0.0.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=10.0.0.1 gateway=192.168.20.1
add address=192.168.40.0/30 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1,1.1.1.1,1.0.0.1
/ip dns static
add address=172.168.188.2 name=dcos.ckrcontrol.com
add address=213.7.231.xx name=ns1monitoring.ckrcontrol.com
add address=38.242.199.97 name=ns2monitoring.ckrcontrol.com
add address=38.242.199.97 name=mail.ckrcontrol.com
add address=172.168.188.1 name=bbhq.ckrcontrol.com
add address=10.2.1.150 name=adu-1.n02.ckrcontrol.com
add address=10.2.1.151 name=adu-1.hq.ckrcontrol.com
add address=192.100.30.2 name=cctv.ckrcontrol.com
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "Allow fasttrack on 172.168.188.0/24" src-address=172.168.188.0/24
add action=accept chain=input comment="Allow incoming good connection states" \
    connection-state=established,related,new
add action=accept chain=forward comment=\
    "Allow forward good connection states" connection-state=\
    established,related,new
add action=drop chain=input comment="Drop input invalid connection state" \
    connection-state=invalid
add action=accept chain=input comment="Accept L2TP ipsec encapsulated" \
    dst-port=1701 ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="Accept IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Accept IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=forward comment="Drop forward invalid connection state" \
    connection-state=invalid
add action=accept chain=input comment="Port Scanner Block" disabled=yes \
    protocol=tcp src-address=172.168.188.0/24
add action=accept chain=input disabled=yes protocol=tcp src-address=\
    10.100.1.0/24
add action=add-src-to-address-list address-list="Ports Scanner Attacks" \
    address-list-timeout=1d chain=input disabled=yes dst-port=\
    62222,60080,60090 protocol=tcp
add action=drop chain=input disabled=yes dst-port=62222,60080,60090 protocol=\
    tcp src-address-list="Ports Scanner Attacks"
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1700 passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=!0-1700
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.168.188.0/24
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=192.100.30.0/24
add action=masquerade chain=srcnat src-address=192.168.40.0/30
add action=masquerade chain=srcnat src-address=192.168.8.0/24
add action=masquerade chain=srcnat src-address=10.1.1.0/24
add action=masquerade chain=srcnat src-address=10.2.1.0/24
add action=dst-nat chain=dstnat comment=DCOS dst-address=213.7.231.xx \
    dst-port=1-40000 protocol=tcp src-port="" to-addresses=172.168.188.2 \
    to-ports=1-40000
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=53 \
    protocol=udp to-addresses=172.168.188.2 to-ports=53
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=\
    172.168.188.2 to-ports=1194
add action=dst-nat chain=dstnat comment=NTP dst-address=213.7.231.xx \
    dst-port=123 protocol=udp to-addresses=172.168.188.2 to-ports=123
add action=dst-nat chain=dstnat comment=CCTV dst-address=213.7.231.xx \
    dst-port=65000 protocol=tcp to-addresses=192.100.30.2 to-ports=65000
add action=dst-nat chain=dstnat dst-address=213.7.231.xx dst-port=65090 \
    protocol=tcp to-addresses=192.100.30.2 to-ports=65090
add action=dst-nat chain=dstnat comment=WoL dst-address=213.7.231.xx \
    dst-port=7 protocol=udp to-addresses=172.168.188.0/24 to-ports=7
add action=redirect chain=dstnat comment="DNS Server" dst-port=53 protocol=\
    tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip ipsec identity
add peer=ipsec-to-adu1.n02
/ip route
add check-gateway=ping comment=PPPoE distance=1 gateway=pppoe-ctfiber
add check-gateway=ping comment=LTE-Backup disabled=yes distance=2 gateway=\
    192.168.8.1
/ip service
set telnet disabled=yes
set ftp address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=60021
set www address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=60080
set ssh address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=62222
set api disabled=yes
set winbox address=172.168.188.0/24,10.1.1.0/24,10.2.1.0/24 port=60090
set api-ssl disabled=yes
/ppp secret
add name=chrisckr profile=OVPN service=ovpn
add name=hb535l2tp profile=L2TP service=l2tp
add disabled=yes name=ckl2tp profile=L2TP service=l2tp
add name=adu1n02l2tp profile=L2TP remote-address=10.2.1.150 service=l2tp
add name=adu1hql2tp profile=L2TP remote-address=10.2.1.151 service=l2tp
/snmp
set contact=christos322009@hotmail.com enabled=yes location=hq.ckrcontrol.com \
    trap-community=dcos_com_only_ trap-target=172.168.188.2,38.242.199.97 \
    trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=bbhq.ckrcontrol.com
/system logging
add action=email topics=critical
add action=email disabled=yes topics=interface
add action=email topics=firewall
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx secondary-ntp=172.168.188.2
/tool e-mail
set address=mail.ckrcontrol.com from=r1@ckrcontrol.com port=587 start-tls=yes \
    user=r1@ckrcontrol.com
/tool graphing interface
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=pppoe-ctfiber
/tool graphing resource
add
/tool netwatch
add disabled=yes down-script="interface set ether5 disable=no" host=\
    213.7.231.xx interval=1s up-script="interface set ether5 disable=yes"
add disabled=yes down-script="tool e-mail send to=christos322009@hotmail.com s\
    ubject=Uplink_from_CPE_DOWN start-tls=yes body=Uplink_from_CPE_is_DOWN" \
    host=213.7.231.xx interval=10s up-script="tool e-mail send to=christos3220\
    09@hotmail.com subject=Uplink_from_CPE_UP start-tls=yes body=Uplink_from_C\
    PE_is_UP"
Client config
# mar/19/2023 22:10:05 by RouterOS 6.49.7
# software id = B8BE-SCNF
#
# model = RB941-2nD
# serial number = D1130FC74BE0
/interface bridge
add name=br-lan-v100
add name=br-wlan-v10
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink to PTCPE" loop-protect=on
set [ find default-name=ether2 ] loop-protect=on
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
/interface l2tp-client
add allow-fast-path=yes connect-to=213.7.231.xx disabled=no max-mru=1700 \
    max-mtu=1700 name=l2tp-to-bbhq use-ipsec=yes user=adu1n02l2tp
/interface vlan
add interface=ether2 loop-protect=on name=vlan100 vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=wifi-profile supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
    disabled=no frequency=auto mode=ap-bridge security-profile=wifi-profile \
    ssid=CHOME-AP wps-mode=disabled
/interface vlan
add interface=wlan1 loop-protect=on name=vlan10 vlan-id=10
/ip ipsec peer
add address=213.7.231.xx/32 exchange-mode=ike2 name=ipsec-to-hq
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256 hash-algorithm=sha512
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip pool
add name=L2TP ranges=10.10.1.2-10.10.1.254
add name=dhcp_pool_v10 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool_v10 disabled=no interface=br-wlan-v10 lease-time=\
    2h name=dhcp-wlan
/ppp profile
add change-tcp-mss=yes local-address=10.10.1.1 name=L2TP remote-address=L2TP \
    use-encryption=yes
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=nnd115ce7nGxkwbQ
/interface bridge port
add bridge=br-lan-v100 interface=ether2
add bridge=br-wlan-v10 interface=wlan1
add bridge=br-wlan-v10 interface=vlan10
add bridge=br-lan-v100 interface=*C
add bridge=br-lan-v100 interface=vlan100
/interface l2tp-server server
set default-profile=L2TP max-mru=1700 max-mtu=1700 use-ipsec=yes
/ip address
add address=192.168.2.10/24 interface=ether1 network=192.168.2.0
add address=192.100.30.1/30 interface=br-lan-v100 network=192.100.30.0
add address=192.168.10.1/24 interface=br-wlan-v10 network=192.168.10.0
add address=172.168.88.1/24 interface=br-lan-v100 network=172.168.88.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=forward comment="Allow good forward connections" \
    connection-state=established,related,new
add action=accept chain=input comment="Allow good input connections" \
    connection-state=established,related,new
add action=drop chain=forward comment="Drop invalid forward connections" \
    connection-state=invalid
add action=drop chain=input comment="Drop invalid input connections" \
    connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=\
    established,related,new disabled=yes in-interface=l2tp-to-bbhq \
    new-connection-mark=n02tobbhq passthrough=yes
add action=mark-routing chain=prerouting connection-mark=n02tobbhq disabled=\
    yes in-interface=br-lan-v100 new-routing-mark=n02tobbhq passthrough=yes
add action=change-mss chain=forward disabled=yes new-mss=1700 passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=!0-1700
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp-to-bbhq
add action=masquerade chain=srcnat src-address=172.168.88.0/24
add action=masquerade chain=srcnat src-address=192.100.30.0/30
add action=dst-nat chain=dstnat dst-port=1161 protocol=udp to-addresses=\
    192.100.30.2 to-ports=1161
add action=dst-nat chain=dstnat dst-port=40011 protocol=tcp to-addresses=\
    192.100.30.2 to-ports=40011
add action=dst-nat chain=dstnat dst-port=40080 protocol=tcp to-addresses=\
    192.100.30.2 to-ports=40080
/ip ipsec identity
add peer=ipsec-to-hq
/ip route
add disabled=yes distance=1 gateway=l2tp-to-bbhq routing-mark=n02tobbhq
add distance=1 gateway=192.168.2.1
/ip route rule
add action=lookup-only-in-table disabled=yes interface=br-lan-v100 table=\
    n02tobbhq
add action=lookup-only-in-table disabled=yes interface=br-wlan-v10 table=\
    n02tobbhq
/ip service
set telnet disabled=yes
set ftp address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 port=\
    10021
set www address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 port=\
    10080
set ssh address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 port=\
    10022
set api disabled=yes
set winbox address=213.7.231.xx/32,172.168.88.0/24,10.1.1.0/24,10.2.1.0/24 \
    port=10090
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=adu1hqckrcontrolcom profile=L2TP service=l2tp
/snmp
set contact=admin@csolutionscy.com enabled=yes location=n02 trap-community=\
    nnd115ce7nGxkwbQ trap-target=213.7.231.xx trap-version=2
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=adu-1-n02.ckrcontrol.com
/system logging
add disabled=yes topics=l2tp
/system ntp client
set enabled=yes primary-ntp=213.7.231.xx secondary-ntp=172.168.188.2
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Help setting L2TP/IPSec 1700 MTU

Sun Mar 19, 2023 11:19 pm

Why? Standard ethernet MTU is 1500, and as there is IPsec and L2TP encapsulation overhead it is better to set the MTU to take these into account otherwise you end up with additional small packet fragments which is less efiicient.

Multiple bridges is usually a bad idea, see https://help.mikrotik.com/docs/display/ ... figuration
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Help setting L2TP/IPSec 1700 MTU

Sun Mar 19, 2023 11:25 pm

Why? Standard ethernet MTU is 1500, and as there is IPsec and L2TP encapsulation overhead it is better to set the MTU to take these into account otherwise you end up with additional small packet fragments which is less efiicient.

Multiple bridges is usually a bad idea, see https://help.mikrotik.com/docs/display/ ... figuration
I appreciate your time. The multiple bridges was to create vlans but i figured out the RB750Gr3 doesn't support VLANs on the switch. Probably gonna remove them. Regarding the L2TP MTU, if it is either 1500 or 1700, i still can't ping over 1350-1400. Any idea on that?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Help setting L2TP/IPSec 1700 MTU

Mon Mar 20, 2023 1:43 pm

Possibly fragmented packets are being dropped in transit. Setting the L2TP MTU so payload+L2TP+IPsec fit in a packet and using the PPP profile change-tcp-mss=yes setting without any additional mangle rules is sufficient, the MTU will be somewhere in the range 1380-1410. The IPsec data length varies depending on the hash algorithm, and there are 0-15 padding bytes as data is encrypted in blocks - optimally the MTU should be set so there is no padding.
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Help setting L2TP/IPSec 1700 MTU

Mon Mar 20, 2023 3:58 pm

change-tcp-mss should be set to "yes" to be able to set maximum MTU?

Another inquiry. How to pass all traffic through l2tp tunnel?

Thanks alot for your time.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Help setting L2TP/IPSec 1700 MTU

Mon Mar 20, 2023 4:28 pm

Changing the MSS to match the L2TP tunnel MTU prevents fragmentation, note this is a different fragmentation to that which occurs if the encapsulated and encrypted L2TP data is larger than supported by the WAN connection.

You need policy based routing to specify where traffic should be sent - either routing rules or mangle rules, there are examples in the help pages or by searching the forum.
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Help setting L2TP/IPSec 1700 MTU

Mon Mar 20, 2023 4:41 pm

Thanks lots, appreciate it.
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Help setting L2TP/IPSec 1700 MTU

Mon Mar 20, 2023 4:45 pm

Changing the MSS to match the L2TP tunnel MTU prevents fragmentation, note this is a different fragmentation to that which occurs if the encapsulated and encrypted L2TP data is larger than supported by the WAN connection.

You need policy based routing to specify where traffic should be sent - either routing rules or mangle rules, there are examples in the help pages or by searching the forum.
Btw, routing for example CCTV traffic through L2TP tunnel, it only works with via p2p. Connecting via TCP 40011 doesn't work. Any idea on that?
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Help setting L2TP/IPSec 1700 MTU

Tue Mar 21, 2023 1:03 am

I have routed CCTV traffic through L2TP Tunnel, is there any way to port forward through the L2TP tunnel as well?
 
chrisk
newbie
Topic Author
Posts: 37
Joined: Tue Mar 14, 2023 1:11 pm

Re: Help setting L2TP/IPSec 1700 MTU  [SOLVED]

Tue Mar 28, 2023 11:11 am

I managed to solve both issues. Can access the http and any service via the L2TP tunnel on server side. After tracing the connection on port 90, i saw TCP Retransimission and noticed 1514 size when the WISP was giving maximum 1370. I lowered the L2TP MTU to 1350 and it worked.

Regarding the traffic going through L2TP tunnel, i created a mangle on firewall.

Thanks again for your time and help @tdw

Please cosnider this post resolved.

Who is online

Users browsing this forum: infabo and 49 guests