User:TomJepp/RouterOS L2TP: Difference between revisions

This guide was written by the A&A community.

If you get stuck, feel free to ask for help on A&A's IRC channel: https://www.aa.net.uk/etc/contact/#irc

TODO

• v4 blocks?
• DHCPv6-PD? It works but it won't be nice for multiple v6 blocks
• statically configured v6?

Before you start

1. Make sure you have a device running reasonably up to date RouterOS. This guide was written and tested using 7.16.1 on a hAP ax2, but it should also work well with other affordable Mikrotik routers - such as the hAP ac2, the hEX, or the hEX Refresh.
2. This guide assumes that ether1 is connected to your existing internet connection, and that DHCP will be used to get an IP address. Devices will be connected to ether2, ether3, ether4 and ether5, which we will bridge together. The PC being used for configuration should be connected to one of these four ports.
3. Make sure you know your account details provided by A&A for the L2TP connection. Check what IP addresses you've been assigned too. This guide will assume you have 1x IPv4 assigned (198.51.100.127) and a /48 IPv6 block (2001:8b0:db8::/48).
4. Make sure you know what IP address ranges your existing network uses - you will need to pick an IPv4 subnet that does not overlap. This guide will assume the typical Mikrotik default of 192.168.88.0/24.
5. This guide assumes you start from a freshly factory reset router without any default configuration.
6. If you are less familiar with RouterOS, I recommend using winbox to set up your router. You can grab the latest version from https://mikrotik.com/download and this guide was written & tested with v3.41.
7. The RouterOS documentation is available at https://help.mikrotik.com/docs/

Getting started

If you're using a freshly reset router, the first thing you'll be prompted to do once you're connected to your router is to set a password. This is a very important step for security and you should not skip it! You may also wish to set up a new admin user under System, Users.

Network interface setup

WAN port

ether1 will be our upstream connection - plug this into your existing router. We will use DHCP to get an IP address, but you can configure a static IP here if you prefer.

1. For ether1, we will set up a DHCP client. In the WinBox menu, open IP, DHCP Client, and add a new client using +.
2. Select the "ether1" interface in the DHCP tab, make sure Use Peer DNS is ticked, and Add Default Route should be set to "yes".
3. In the Advanced tab, set the Default Route Distance to "255". This is important and will ensure that the default route added by the L2TP connection later is used in preference to this one.
4. Save the new DHCP client using Apply. Use the Status tab to check that you received an IP address, then click OK to close the window.

LAN ports

We will bridge together ether2, ether3, ether4, and ether5 using a Bridge interface. These will be the ports that you can connect devices to.

1. Open Bridge from the WinBox menu, make sure the Bridge tab is selected and add a new bridge using +.
2. Name the bridge something descriptive - I recommend "bridge-l2tp-lan". Leave all the other settings as their defaults, and save the bridge using OK.
3. Change to the Ports tab, and add a new port using +.
4. For Interface, select "ether2". For Bridge select your new "bridge-l2tp-lan" bridge. Save the port using OK.
5. Repeat the last step for "ether3", "ether4", and "ether5".

When you add the port that your PC is connected to, you might get disconnected from WinBox. That's normal - you should be able to reconnect after a few seconds.

Now the bridge is configured, we'll set up an IP address, DNS, and DHCP server:

1. From the WinBox menu, open IP, Addresses, and click + to create a new IP address.
2. For Address, set "192.168.88.1/24". Leave Network blank, and set Interface to "bridge-l2tp-lan".
3. Save the address with OK.
4. Now open IP, DNS from the WinBox menu and tick Allow Remote Requests. Save this with OK.
5. Open IP, DHCP Server from the WinBox menu and click DHCP Setup.
6. For DHCP Server Interface, select "bridge-l2tp-lan" and click Next.
7. For DHCP Address Space, the default of "192.168.88.0/24" should be fine. Click Next.
8. For Gateway for DHCP Network, the default of "192.168.88.1" should also be fine. Click Next.
9. For Addresses to Give out, the default of "192.168.88.2-192.168.88.254" should be fine, but feel free to change it if you prefer a smaller DHCP address pool. Click Next.
10. For DNS Servers, replace the default value with "192.168.88.1". Click Next.
11. For Lease time, the default of "00:30:00" (30 minutes) should be fine. Click Next.

You should now have a DHCP server on your bridged ports that issues IPs in the 192.168.88.0/24 range.

L2TP tunnel

We will now create the L2TP tunnel that we'll use to connect to A&A's L2TP server. We'll leave it disabled until after we've set up the Firewall, so we don't expose our router to the internet until we're finished configuring it.

1. From the WinBox menu, open Interfaces, and use the + button to add a new "L2TP Client".
2. In the General tab, set an appropriate Name. I recommend "l2tp-aaisp".
3. Set the Max MTU and Max MRU values. If you're connecting via another wired ISP you can usually leave these at the default of "1450". If you are connecting via a mobile broadband service you may need to reduce this - on a 3 mobile broadband SIM I use a MTU and MRU of "1340".
4. In the Dial Out tab:
   1. Set Connect To to "l2tp.aa.net.uk".
   2. User: your A&A provided L2TP username, such as "example@a.1"
   3. Password: your A&A provided L2TP password.
   4. Profile: set to "default". A&A's L2TP service does not provide an encrypted tunnel!
   5. Use Peer DNS: set to "exclusively".
   6. Tick Add Default Route, and set Default Route Distance to 1. This ensures the route inside the L2TP tunnel is preferred to the one we configured earlier on ether1.
5. In the Advanced tab, set L2TP Protocol Version to "l2tpv2".
6. Save the L2TP interface settings with Apply.
7. Click Disable to disable the L2TP interface until we've set up the firewall.
8. Close the L2TP interface settings with OK.

Firewall

We will set up a simple firewall for IPv4 and IPv6 that does the following:

1. allows ICMP traffic to the router
2. allows all traffic from the bridged LAN ports to the router
3. allows all traffic from the router to the internet
4. allows all traffic from the LAN to the internet via the L2TP service
5. blocks all remaining traffic

We will also set up two extra rules:

1. a source NAT rule so that IPv4 traffic that is sent via the L2TP service is NAT'd to the external IP A&A provided.
2. a mangle rule to clamp MSS to path MTU - this ensures that you don't have problems accessing services like HTTPS sites.

IPv4 firewall

1. Go to IP, Firewall and select the Filter Rules tab.
2. Add a new rule using the + button. Set the following fields:
   1. For General, Chain, select "input".
   2. For General, Protocol, select "icmp".
   3. For Action, Action, select "accept".
   4. Use the Comment button to add a comment saying "input: allow all ICMP".
   5. Save the rule with OK.
3. Add a new rule:
   1. General, Chain: "input"
   2. General, In. Interface: "bridge-l2tp-lan"
   3. Action, Action: "accept"
   4. Comment: "input: allow all from L2TP LAN"
   5. Save the rule with OK.
4. Add a new rule:
   1. General, Chain: "forward"
   2. General, In. Interface: "bridge-l2tp-lan"
   3. Action, Action: "accept"
   4. Comment: "forward: allow all from L2TP LAN"
   5. Save the rule with OK.
5. Add a new rule:
   1. General, Chain: "input"
   2. General, Connection State: tick "established" and "related"
   3. Action, Action: "accept"
   4. Comment: "input: allow established & related traffic"
   5. Save the rule with OK
6. Add a new rule:
   1. General, Chain: "forward"
   2. General, Connection State: tick "established" and "related"
   3. Action, Action: "accept"
   4. Comment: "forward: allow established & related traffic"
   5. Save the rule with OK.
7. Add a new rule:
   1. General, Chain: "input"
   2. Action, Action: "drop"
   3. Comment: "input: drop all remaining traffic"
   4. Save the rule with OK
8. Add a new rule:
   1. General, Chain: "forward"
   2. Action, Action: "drop"
   3. Comment: "forward: drop all remaining traffic"
   4. Save the rule with OK.
9. Go to the NAT tab, and add a new rule with +:
   1. General, Chain: "srcnat"
   2. General, Src. Address: "192.168.88.0/24"
   3. General, Out. Interface: "l2tp-aaisp"
   4. Action, Action: "masquerade"
   5. Comment: "NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address"
   6. Save the rule with OK. This rule will show up in red with a warning until we enable the l2tp-aaisp interface in a moment.
10. Go to the Mangle tab, and add a new rule with +:
    1. General, Chain: "forward"
    2. General, Protocol: "tcp"
    3. General, Out. Interface: "l2tp-aaisp"
    4. Advanced, TCP Flags: select "syn"
    5. Action, Action: "change MSS"
    6. Action, New TCP MSS: "clamp to pmtu"
    7. Comment: "TCP: clamp MSS to PMTU"
    8. Save the rule with OK. This rule will show up in red with a warning until we enable the l2tp-aaisp interface in a moment.

IPv6 firewall

1. Go to IPv6, Firewall and select the Filter Rules tab.
2. Add a new rule:
   1. General, Chain: "input".
   2. General, Protocol: "icmpv6".
   3. Action, Action: "accept".
   4. Comment: "input: allow all ICMP"
   5. Save the rule with OK.
3. Add a new rule:
   1. General, Chain: "forward".
   2. General, Protocol: "icmpv6".
   3. Action, Action: "accept".
   4. Comment: "forward: allow all ICMP"
   5. Save the rule with OK.
4. Add a new rule:
   1. General, Chain: "input"
   2. General, In. Interface: "bridge-l2tp-lan"
   3. Action, Action: "accept"
   4. Comment: "input: allow all from L2TP LAN"
   5. Save the rule with OK.
5. Add a new rule:
   1. General, Chain: "forward"
   2. General, In. Interface: "bridge-l2tp-lan"
   3. Action, Action: "accept"
   4. Comment: "forward: allow all from L2TP LAN"
   5. Save the rule with OK.
6. Add a new rule:
   1. General, Chain: "input"
   2. General, Connection State: tick "established" and "related"
   3. Action, Action: "accept"
   4. Comment: "input: allow established & related traffic"
   5. Save the rule with OK
7. Add a new rule:
   1. General, Chain: "forward"
   2. General, Connection State: tick "established" and "related"
   3. Action, Action: "accept"
   4. Comment: "forward: allow established & related traffic"
   5. Save the rule with OK.
8. Add a new rule:
   1. General, Chain: "input"
   2. Action, Action: "drop"
   3. Comment: "input: drop all remaining traffic"
   4. Save the rule with OK
9. Add a new rule:
   1. General, Chain: "forward"
   2. Action, Action: "drop"
   3. Comment: "forward: drop all remaining traffic"
   4. Save the rule with OK.
10. Go to the Mangle tab, and add a new rule with +:
    1. General, Chain: "forward"
    2. General, Protocol: "tcp"
    3. General, Out. Interface: "l2tp-aaisp"
    4. Advanced, TCP Flags: select "syn"
    5. Action, Action: "change MSS"
    6. Action, New TCP MSS: "clamp to pmtu"
    7. Comment: "TCP: clamp MSS to PMTU"
    8. Save the rule with OK. This rule will show up in red with a warning until we enable the l2tp-aaisp interface in a moment.

Connecting

Now that we have the network interfaces & a basic firewall configured, we can connect to the A&A L2TP service.

1. Go to Interfaces from the WinBox menu, and double click on "l2tp-aaisp".
2. Click Enable.
3. Change to the Status tab, and you should see your L2TP tunnel connect. You should see your assigned IPv4 address in the Local Address field, and "81.187.81.187" in Remote Address.