Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

User:TomJepp/RouterOS L2TP: Difference between revisions

User:TomJepp/RouterOS L2TP (view source)

Revision as of 22:18, 12 November 2024

3,945 bytes added ,  12 November 2024
no edit summary
No edit summary
No edit summary
# Devices will be connected to ether2, ether3, ether4 and ether5, which we will bridge together. The PC being used for configuration should be connected to one of these four ports.
# Make sure you know what IP address ranges your existing network uses - you will need to pick an IPv4 subnet that does not overlap. This guide will assume the typical Mikrotik default of 192.168.88.0/24.
# Some users of the L2TP service have a small subnet of public IPv4 addresses routed - such as a /29 or a /28. There is an appendix at the end for this.
 
== Getting started ==
# Change to the '''Ports''' tab, and add a new port using '''+'''.
# For '''Interface''', select "ether2". For '''Bridge''' select your new "bridge-l2tp-lan" bridge. Save the port using '''OK'''.
# Repeat the last steptwo steps for "ether3", "ether4", and "ether5".
 
When you add the port that your PC is connected to, you might get disconnected from WinBox. That's normal - you should be able to reconnect after a few seconds.
# Click '''Enable'''.
# Change to the '''Status''' tab, and you should see your L2TP tunnel connect. You should see your assigned IPv4 address in the '''Local Address''' field, and "81.187.81.187" in '''Remote Address'''.
 
== Using a public IPv4 block ==
Some A&A customers have a block of public IPs allocated to their L2TP service. This can also be configured with RouterOS.
 
For this, we'll use "ether4" and "ether5" to create a separate bridge for the public IPs. We'll allow *all* traffic to these IPs, so it is important for you to have firewalls enabled & configured on each device you connect.
 
In our example, we'll use 198.51.100.56/29. You should find the range allocated to you in A&A's control pages.
 
=== Allocating an extra IPv6 subnet ===
You should allocate a second /64 subnet of IPv6 addresses to go with the public IPv4 block. This can be done in the control pages for your line:
# In the '''IP addresses''' section, click '''Add /64'''.
# In the new page that loads, make a note of the new subnet that is allocated. In my example, it is 2001:8b0:db8:acb2::/64. # Tick the right checkbox for '''IP Routing''' so this subnet is sent to your L2TP service. If your username for L2TP is "example@a.1" for example, that's the checkbox labelled '''1'''. If your username for L2TP is "example@a.2", it would be a checkbox labelled '''2'''.
# Click '''OK''' to save.
Changes to IP routing only apply when you disconnect and reconnect your L2TP service. You can do this by going to '''Interfaces''' in the WinBox menu, double clicking on the "l2tp-aaisp" interface, then click '''Disable''', wait a few seconds, and click '''Enable'''. Then click '''OK''' to save.
 
=== Setting up the new bridge ===
First, we'll need to remove the "ether4" and "ether5" ports from the existing bridge:
# Open '''Bridge''' from the WinBox menu.
# Go to the '''Ports''' tab.
# Select "ether4", and delete it with the '''-''' button.
# Select "ether5", and delete it with the '''-''' button.
# Go to the '''Bridge''' tab.
# Click '''+''' to create a second bridge.
# Set an appropriate '''Name'''. I named mine "bridge-l2tp-public".
# Save the new bridge with '''OK'''.
# Change to the '''Ports''' tab, and add a new port using '''+'''.
# For '''Interface''', select "ether4". For '''Bridge''' select your new "bridge-l2tp-public" bridge. Save the port using '''OK'''.
# Repeat the last two steps for "ether5".
 
==== IPv4 address ====
 
First, find the IP range assigned to you in the control pages. In our example it is 198.51.100.56/29.
 
A /29 is made up of 8 IP addresses, of which 6 are typically usable. The usable range for our example /29 is 198.51.100.57 to 198.51.100.62. If you're not sure for your range, use a CIDR calculator such as https://cidr.xyz/.
 
We will use the first IP in the block as our router's IP - so for our example, 198.51.100.57. The rest of the usable IPs (198.51.100.58-198.51.100.62) can be assigned by you to any device you wish to connect. You'll use the router's IP as the gateway for any device you configure.
 
To set up the IPv4 address:
 
# From the WinBox menu, open '''IP, Addresses''', and click '''+''' to create a new IP address.
# For '''Address''', set "198.51.100.57/29". Leave '''Network''' blank, and set '''Interface''' to "bridge-l2tp-public".
# Save the address with '''OK'''.
 
==== IPv6 address ====
 
Find the second IPv6 subnet you allocated earlier - for our example it is 2001:8b0:db8:acb2::/64. We will use an address ending in ::1 in this subnet for our router's IPv6 address. For our example, it will be: 2001:8b0:db8:acb2::1/64.
 
To set up the IPv6 address:
 
# From the WinBox menu, open '''IPv6, Addresses''', and click '''+''' to create a new IP address.
# For '''Address''', set "2001:8b0:db8:acb2::1/64". Leave '''Network''' blank, and set '''Interface''' to "bridge-l2tp-public".
# Save the address with '''OK'''.
 
=== Firewall ===
 
==== IPv4 firewall ====
==== IPv6 firewall ====
 
== CLI config example ==
This config example is more useful for RouterOS experts:
 
=== Base configuration ===
<pre>
/interface bridge
/system routerboard settings
set auto-upgrade=yes
</pre>
 
=== With a block of IPv4 IPs ===
<pre>
</pre>
TomJepp
94

edits

Retrieved from "http://support.aa.net.uk/Special:MobileDiff/17434"