L2TP set up... need help seeing Winbox neighbours!

KiwiBloke · Wed Jun 04, 2025 5:49 am

Hi all,

Long story short, I have set up an L2TP/IPSEC server on my router using my Linux PC as a client. While I'm connected to my home network using Winbox through my VPN I can see my list of neighbours, however when I'm connected to another network with my VPN on I can access the internet fine but Winbox loads no neighbours.

Here's the instructional I followed https://youtu.be/FZpJGFaoFmk?si=Kxg71nqRFuyfuIFt

I have disabled all but ssh & winbox under services.

Below are a couple of screenshots which prove the VPN tunnel is working and the VPN config on my PC.

I've included the PPP config below and I'm picking my problem might be related to the PPP profile where it says "set *FFFFFFFE", this doesn't seem normal? How would I fix this?

I'm hoping someone can help me sort out the final piece of the puzzle. Cheers.

EDIT: I can confirm that I get different public IP addresses using https://whatismyipaddress.com/ when connecting from a cafe WiFi, VPN on and then off. So, further confirmation the tunnel is working, but not enough for Winbox 3 or 4 to display my router in neighbours.

[itechadmin@Home Router AX] > ppp/export   
# 2025-06-04 16:30:10 by RouterOS 7.19.1
# software id = xxxx-xxxx
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxx
/ppp profile
set *FFFFFFFE use-encryption=default
/ppp secret
add local-address=10.10.30.1 name=vpn profile=default-encryption remote-address=10.10.30.2 \
    service=l2tp

nichky · Wed Jun 04, 2025 8:02 am

basically you are saying, when you are doing VPN from another network, you are not able to see router on neighbor list?

KiwiBloke · Wed Jun 04, 2025 8:19 am

basically you are saying, when you are doing VPN from another network, you are not able to see router on neighbor list?

Correct. Winbox fires up, but my home network doesn't show in the neighbour list. Since I first posted this I've added the PPP profile config to my original post which hopefully gives a clearer picture

.

nichky · Wed Jun 04, 2025 8:59 am

What is the outcome of :

/interface list export 
/ip neighbor discovery-settings pr

which winbox do you use?

fyi: winbox 4 is much more sensitive compering to winbox 3.

KiwiBloke · Wed Jun 04, 2025 9:13 am

Thanks for your help so far Nichky.

[itechadmin@Home Router AX] > /interface list export
# model = C52iG-5HaxD2HaxD
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=LTE interface=ether1 list=WAN
add comment=DHCP interface=pppoe-1 list=WAN
add comment=PPPoE interface=DHCP_v10 list=WAN

I've used both versions of Winbox and get the same result.

[itechadmin@Home Router AX] > /interface list export
# model = C52iG-5HaxD2HaxD
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=LTE interface=ether1 list=WAN
add comment=DHCP interface=pppoe-1 list=WAN
add comment=PPPoE interface=DHCP_v10 list=WAN
[itechadmin@Home Router AX] > ip neighbor discovery-settings pr
   discover-interface-list: LAN      
         discover-interval: 30s      
  lldp-med-net-policy-vlan: disabled 
       lldp-mac-phy-config: no       
       lldp-max-frame-size: no       
            lldp-vlan-info: no       
            lldp-poe-power: yes      
                  protocol: cdp      
                            lldp     
                            mndp     
                      mode: tx-and-rx

rplant · Wed Jun 04, 2025 11:45 am

Winbox requires layer 2 for discovery.
L2TP can do layer 2, but it usually isn't setup that way.

You could perhaps use ROMON. Setup ROMMON on the remote routers and connect via rommon to one of the routers IP addresses and you should see and be able to connect to the other routers with ROMMON enabled (and same rommon secret).

KiwiBloke · Wed Jun 04, 2025 11:56 am

Winbox requires layer 2 for discovery.
L2TP can do layer 2, but it usually isn't setup that way.

You could perhaps use ROMON. Setup ROMMON on the remote routers and connect via rommon to one of the routers IP addresses and you should see and be able to connect to the other routers with ROMMON enabled (and same rommon secret).

Thanks for this. RoMon has always been enabled on my home router (which I'm trying to connect to remotely) as I use it to connect to my LTE passthrough device.

I once had this working a couple of years back, but on a different router. It worked a treat. I feel I'm so close to get it working again, I'm just missing something - probably simple, just can't think for the life of me what.

If I can connect remotely to my home router and even surf the internet, that shows me I'm almost there. Just need to be able to access Winbox neighbours and all will be complete.

KiwiBloke · Thu Jun 05, 2025 1:02 am

bump...

rplant · Thu Jun 05, 2025 3:31 am

This assumes somewhat near a default firewall config on the Mikrotik.

From the linux client can you ping 10.10.30.1 (ie. The Mikrotik) when connected via the VPN.

When this is working:

On the Mikrotik I would

- Copy the default-encryption profile.
- On the newly created profile, Set the Address-List value to be LAN.
- Change the profile used by the ppp secret to be the new profile.

With luck you now when you connect through the VPN you should be able to login to the Mikrotik using winbox
via IP address 10.10.30.1.
You can also connect to ROMMON via 10.10.30.1 and see any other ROMMON Mikrotiks on your network.

Amm0 · Thu Jun 05, 2025 3:38 am

Small correction here:

Winbox requires layer 2 for discovery.

Not quite. WinBox uses MNDP discovery. And MNDP is a Layer3 UDP broadcast packet (255.255.255.255) so it's broadcast support you need for WinBox Neighbors. Now Layer2 access, always would get you UDP broadcast, so that part is right. And to be clear RoMON and it's discovery does require Layer2.

KiwiBloke · Thu Jun 05, 2025 10:34 am

This assumes somewhat near a default firewall config on the Mikrotik.

From the linux client can you ping 10.10.30.1 (ie. The Mikrotik) when connected via the VPN.

When this is working:

On the Mikrotik I would

- Copy the default-encryption profile.
- On the newly created profile, Set the Address-List value to be LAN.
- Change the profile used by the ppp secret to be the new profile.

With luck you now when you connect through the VPN you should be able to login to the Mikrotik using winbox
via IP address 10.10.30.1.
You can also connect to ROMMON via 10.10.30.1 and see any other ROMMON Mikrotiks on your network.

Thank you. This works now when I VPN into the home router from home. I'll give it a go tomorrow when I can connect through another network and report back.

Here's the ping report from my laptop...

~$ ping 10.10.30.1
PING 10.10.30.1 (10.10.30.1) 56(84) bytes of data.
64 bytes from 10.10.30.1: icmp_seq=1 ttl=64 time=6.16 ms
64 bytes from 10.10.30.1: icmp_seq=2 ttl=64 time=2.99 ms
64 bytes from 10.10.30.1: icmp_seq=3 ttl=64 time=6.29 ms
64 bytes from 10.10.30.1: icmp_seq=4 ttl=64 time=2.97 ms
64 bytes from 10.10.30.1: icmp_seq=5 ttl=64 time=13.0 ms
64 bytes from 10.10.30.1: icmp_seq=6 ttl=64 time=3.02 ms
^[64 bytes from 10.10.30.1: icmp_seq=7 ttl=64 time=6.29 ms
64 bytes from 10.10.30.1: icmp_seq=8 ttl=64 time=3.02 ms
64 bytes from 10.10.30.1: icmp_seq=9 ttl=64 time=2.59 ms
^C
--- 10.10.30.1 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8012ms
rtt min/avg/max/mdev = 2.585/5.148/13.007/3.169 ms
~$

KiwiBloke · Thu Jun 05, 2025 1:13 pm

Ok, so I just used my wife's mobile phone to hotspot and while I couldn't still load neighbours in Winbox via my home VPN, I did manage to ping both 10.10.30.1 and my home router gateway, 192.168.88.1 as pic below.

Still a mystery why my home network doesn't show up in neighbours when using my VPN away from home.

Amm0 · Thu Jun 05, 2025 4:07 pm

I have not tested this is a while and not expert on L2TP... But I don't the broadcast packet (255.255.255.255) needed for neighbors are received by client OS when using L2TP. And not 100% send MNDP broadcasts are even allowed over L2TP for sending.

rplant · Sat Jun 07, 2025 2:00 pm

You can save a bunch of IP addresses notes and optionally passwords in Winbox.
So you could save all your routers there.
You can also login via romon to the L2TP server IP address and see all the ROMON configured devices.

Another option might be to use an L2TPv3 VPN set up as a virtual wire (ethernet cable).
Though I think this is likely a good way to hurt the VPN performance.

KiwiBloke · Sun Jun 08, 2025 4:12 am

Just for clarity, this is the problem I'm having when trying to connect to my home router using my VPN from another network (cafe, public WiFi, etc...)

Screenshot from 2025-06-07 13-02-12.png

No neighbours are present, inc. my home router. I have tried saving my home router in the saved list, but that doesn't do anything when activated either. I just says connecting, then times out. I can ping my home gateway when on another network, but I can't gain access to my router through Winbox (3 or 4).

None of this is a problem when I'm on my home network using the same VPN, or with the VPN off, as expected.

I'm really sorry if this has caused any confusion.

Cheers.

Amm0 · Sun Jun 08, 2025 5:55 am

If you saved them... then you need to change the view in WinBox4 to "Saved" in the dropdown near top center that says "Select From" (i.e. so it does NOT say Neighbors).

The Neighbors view listens for UDP broadcasts to 255.255.255.255, which [AFAIK] you're not going to have with L2TP.

KiwiBloke · Sun Jun 08, 2025 6:54 am

If you saved them... then you need to change the view in WinBox4 to "Saved" in the dropdown near top center that says "Select From" (i.e. so it does NOT say Neighbors).

I understand that and tried it and found that doesn't work either. Like I said, it hangs on connecting and then times out.

The Neighbors view listens for UDP broadcasts to 255.255.255.255, which [AFAIK] you're not going to have with L2TP.

The thing is though, it has worked on a previous MT router using L2TP.

Thanks for helping though. Much appreciated.

KiwiBloke · Sun Jun 08, 2025 7:12 am

To add further intrigue, I can't ssh in either using terminal on my Linux laptop using an external network and my VPN. It hangs before requesting my user pw. I Can still ping the router fine though from the Linux laptop terminal.

KiwiBloke · Wed Jun 11, 2025 2:23 am

I managed to lay my hands on the router where the config worked previously and have extracted the relevant config below. Hopefully I haven't missed anything.

It doesn't work still on either router, but I think that might have something to do with the part of the /ppp profile where it resolves "set *FFFFFFFE".
It makes no sense for the config to repeat the local address or remote address unless the set value actually means something. I hoping if this part can be resolved it'll be game over.

Any further help resolving this would be very much appreciated.

/ip pool 
add name=vpn ranges=10.10.30.2-10.10.30.254
/ppp profile
add dns-server=1.1.1.1 local-address=10.10.30.1 name=vpn remote-address=vpn \
    use-encryption=yes
set *FFFFFFFE local-address=10.10.30.1 remote-address=vpn
/ip neighbor discovery-settings 
set discover-interface-list=all
/interface l2tp-server server 
set default-profile=vpn enabled=yes ipsec-secret=xxxx \
    one-session-per-host=yes use-ipsec=yes
/ip cloud 
set ddns-enabled=yes
/ip cloud advanced 
set use-local-address=yes
/ip firewall filter 
add action=accept chain=input comment="allow remote connection for Winbox" \
    dst-port=8291 protocol=tcp src-address-list=Management
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    10.10.30.0/24
/ip firewall address-list
add address=12345678.sn.mynetname.net list=Management
/ip ipsec profile 
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ppp secret 
add name=vpn password=xxxx profile=vpn service=l2tp

KiwiBloke · Wed Jun 11, 2025 3:01 am

Edit: So after a bit of googling, I changed "set *FFFFFFFE" to

set vpn local-address=10.10.30.1 remote-address=vpn

This changed the config on the new router to:

name="vpn" local-address=10.10.30.1 remote-address=vpn bridge-learning=default use-ipv6=yes 
     use-mpls=default use-compression=default use-encryption=yes only-one=default 
     change-tcp-mss=default use-upnp=default address-list="" dns-server=1.1.1.1 on-up="" 
     on-down=""

But I now can't get a the VPN connection to work using my laptop on my home connection. Weird.

EDIT: Just tried to get access from outside the network and no go there either.

Where am I going wrong?? It shouldn't be this difficult!

rplant · Wed Jun 11, 2025 2:02 pm

Hi,

I would recommend you seriously consider Wireguard instead of L2TP.
L2TP has too many ifs and buts. (as it seems, do lots of things using IPSEC)
It is quite easy to set it up wrongly with no encryption.
It usually doesn't like natted servers if using PSK encryption/authentication, etc.

With wireguard you still won't get a list of winbox neighbours. (They are not your neighbours on the local LAN network, they are at the other end of the VPN)
But as mentioned earlier, you can put the remote devices into the save/managed device list.
(Incl passwords, with a master password option)

An alternative to this, is (AFTER you get wireguard working well)
You could maybe connect an EOIP tunnel over the wireguard link and bridge it onto your local network, or have it
as a second (virtual) Network interface.
Though this seems like a bad idea.

Wireguard:

https://help.mikrotik.com/docs/spaces/R ... /WireGuard

With wireguard:
1. Give the wireguard interface an IP address and range.
eg. 10.10.30.1/24 on Mikrotik and 10.10.30.2/24 at the other end.

2. Wireguard peers.
Mikrotik would have allowed IP address range of 10.10.30.2, and also any other IP address ranges to be accessible via client.
(Likely only the 10.10.30.2 address)

Your client would have allowed IP address range of 10.10.30.1 and any other IP address ranges you want to access at
the Mikrotik end.

3. You also need to add routes into the routing table of your client for the IP address ranges you want to access via the Mikrotik.
(Though this route addition is likely done on the client automatically by wireguard itself, when it is enabled)

3a. Mikrotik also needs routes added, if it needs to connect to other IP ranges other than the 10.10.30.2 on your client.
(If required these need to be added manually)

4. On the Mikrotik you need a firewall rule to allow remote input on the Configured Wireguard port.

5. On the Mikrotik make the wireguard interface a member of the LAN interface lists.

This should be close.

KiwiBloke · Thu Jun 12, 2025 1:02 am

Thanks for your input, it's been very much appreciated.

Having just tried what you have suggested, and failed, and with other unresolved issues with my MT devices, I think it's time to move on to another vendor whose sole aim in business is NOT to make life as difficult as possible for it's customers.

Thanks again.

rplant · Thu Jun 12, 2025 11:16 am

Perhaps you could post your full Mikrotik configuration,
with public IP's, serial numbers, usernames/passwords, etc redacted.

A network outline diagram is also handy.

And see what can be made of it.
@Anav is usually very good at this.

Amm0 · Thu Jun 12, 2025 5:28 pm

I think it's time to move on to another vendor whose sole aim in business is NOT to make life as difficult as possible for it's customers.

While I'm quick to complain myself too... I do think it's IPSec more generally that's tricky on ANY platform.

Since complaint was about neighbors not showing up, which is something not every router does (and few/none provide local Layer2/MAC-level) – and something MikroTik does well IMO... Another approach be enabling RoMON, so you can connect one router with it IP (and use "Connect to RoMON" instead), and then any RoMON neighbors will show up (i.e. other routers behind/connected to first router, WITH RoMON enabled in /tool/romon on any router you want showing up as an "RoMON Neighbor" in winbox login).

And 100% on an "@anav config review" but that does take some configuration posted. And generally speaking post some config here generally makes quicker work of problem (and often identify others too).

L2TP set up... need help seeing Winbox neighbours!

L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help with Winbox!

Re: L2TP set up... need help with Winbox!

Re: L2TP set up... need help with Winbox!

Re: L2TP set up... need help with Winbox!

Re: L2TP set up... need help with Winbox!

Re: L2TP set up... need help with Winbox!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!

Re: L2TP set up... need help seeing Winbox neighbours!