User:TomJepp/RouterOS L2TP: Difference between revisions

Revision as of 00:26, 13 November 2024

Mikrotik RouterOS routers are ideal & affordable clients for the A&A L2TP service. This guide will walk you through taking a freshly factory reset RouterOS device & configuring it to connect over your existing internet connection.

This is a simple starter config that you can use to connect straight away, or to build from if you need something more complex. It will walk you through configuring:

WAN & LAN network interfaces
the L2TP tunnel
DHCP & DNS
firewalling

This guide was written by the A&A community & was tested using RouterOS 7.16.1 on several Mikrotik routers.

It was tested with the following routers:

RB4011
hAP ax2
hAP ac2

This config should also work well with other affordable Mikrotik routers - such as the hEX, or the hEX Refresh. Very low end routers such as the hAP Lite may work, but are not recommended.

The RouterOS documentation is available at: https://help.mikrotik.com/docs/

If you get stuck, feel free to ask for help on A&A's IRC channel: https://www.aa.net.uk/etc/contact/#irc

Before you start

Read the whole guide before you start.
Make sure your router is running reasonably up to date RouterOS.
Make sure you know your account details provided by A&A for the L2TP connection.
Check what IP addresses you've been assigned. This guide will assume you have 1x IPv4 assigned (198.51.100.127), and a single IPv6 /64 subnet (2001:8b0:db8:acb1::/64) set up in the Control Pages.
Make sure you're starting with a freshly factory reset router without any default configuration.
This guide will use WinBox to set up your router. You can grab the latest version from https://mikrotik.com/download and this guide was written & tested with v3.41. A config export is provided at the end for advanced users.
ether1 should be connected to your existing internet connection, and that DHCP will be used to get an IP address.
Devices will be connected to ether2, ether3, ether4 and ether5, which we will bridge together. The PC being used for configuration should be connected to one of these four ports.
Make sure you know what IP address ranges your existing network uses - you will need to pick an IPv4 subnet that does not overlap. This guide will assume the typical Mikrotik default of 192.168.88.0/24.
Some users of the L2TP service have a small subnet of public IPv4 addresses routed - such as a /29 or a /28. There is an appendix at the end for this.

Getting started

If you're using a freshly reset router, the first thing you'll be prompted to do once you're connected to your router is to set a password. This is a very important step for security and you should not skip it!

You may also wish to set up a new admin user under System, Users.

Network interface setup

WAN port

ether1 will be our upstream connection - plug this into your existing router. We will use DHCP to get an IP address, but you can configure a static IP here if you prefer.

For ether1, we will set up a DHCP client. In the WinBox menu, open IP, DHCP Client, and add a new client using +.
Select the "ether1" interface in the DHCP tab, make sure Use Peer DNS is ticked, and Add Default Route should be set to "yes".
In the Advanced tab, set the Default Route Distance to "255". This is important and will ensure that the default route added by the L2TP connection later is used in preference to this one.
Save the new DHCP client using Apply. Use the Status tab to check that you received an IP address, then click OK to close the window.

LAN ports

We will bridge together ether2, ether3, ether4, and ether5 using a Bridge interface. These will be the ports that you can connect devices to.

Open Bridge from the WinBox menu, make sure the Bridge tab is selected and add a new bridge using +.
Name the bridge something descriptive - I recommend "bridge-l2tp-lan". Leave all the other settings as their defaults, and save the bridge using OK.
Change to the Ports tab, and add a new port using +.
For Interface, select "ether2". For Bridge select your new "bridge-l2tp-lan" bridge. Save the port using OK.
Repeat the last two steps for "ether3", "ether4", and "ether5".

When you add the port that your PC is connected to, you might get disconnected from WinBox. That's normal - you should be able to reconnect after a few seconds.

Now the bridge is configured, we'll set up an IPv4 address, an IPv6 address, time synchronisation, DNS, and DHCP server:

IPv4 address

From the WinBox menu, open IP, Addresses, and click + to create a new IP address.
For Address, set "192.168.88.1/24". Leave Network blank, and set Interface to "bridge-l2tp-lan".
Save the address with OK.

IPv6 address

From the WinBox menu, open IPv6, Addresses, and click + to create a new IP address.
For Address, we will use an address in our subnet ending in ::1. If your assigned subnet is (for example) 2001:8b0:db8:acb1::/64, we would use "2001:8b0:db8:acb1::1/64". Leave Network blank, and set Interface to "bridge-l2tp-lan".
Tick Advertise.
Save the address with OK.

Time synchronisation

Open System, NTP Client from the WinBox menu.
Tick Enabled.
Set NTP Servers to "time.aa.net.uk".
Leave VRF set to "main".
Click OK to save the changes. Your router's clock should synchronise automatically in the background.

DNS

Now open IP, DNS from the WinBox menu.
Tick Allow Remote Requests'.
Save this with OK.

DHCP

Open IP, DHCP Server from the WinBox menu and click DHCP Setup.
For DHCP Server Interface, select "bridge-l2tp-lan" and click Next.
For DHCP Address Space, the default of "192.168.88.0/24" should be fine. Click Next.
For Gateway for DHCP Network, the default of "192.168.88.1" should also be fine. Click Next.
For Addresses to Give out, the default of "192.168.88.2-192.168.88.254" should be fine, but feel free to change it if you prefer a smaller DHCP address pool. Click Next.
For DNS Servers, replace the default value with "192.168.88.1". Click Next.
For Lease time, the default of "00:30:00" (30 minutes) should be fine. Click Next.

You should now have a DHCP server on your bridged ports that issues IPs in the 192.168.88.0/24 range.

L2TP tunnel

We will now create the L2TP tunnel that we'll use to connect to A&A's L2TP server. We'll leave it disabled until after we've set up the Firewall, so we don't expose our router to the internet until we're finished configuring it.

From the WinBox menu, open Interfaces, and use the + button to add a new "L2TP Client".
In the General tab, set an appropriate Name. I recommend "l2tp-aaisp".
Set the Max MTU and Max MRU values. If you're connecting via another wired ISP you can usually leave these at the default of "1450". If you are connecting via a mobile broadband service you may need to reduce this - on a 3 mobile broadband SIM I use a MTU and MRU of "1340".
In the Dial Out tab:
1. Set Connect To to "l2tp.aa.net.uk".
2. User: your A&A provided L2TP username, such as "example@a.1"
3. Password: your A&A provided L2TP password.
4. Profile: set to "default". A&A's L2TP service does not provide an encrypted tunnel!
5. Use Peer DNS: set to "exclusively".
6. Tick Add Default Route, and set Default Route Distance to 1. This ensures the route inside the L2TP tunnel is preferred to the one we configured earlier on ether1.
In the Advanced tab, set L2TP Protocol Version to "l2tpv2".
Save the L2TP interface settings with Apply.
Click Disable to disable the L2TP interface until we've set up the firewall.
Close the L2TP interface settings with OK.

Firewall

We will set up a simple firewall for IPv4 and IPv6 that does the following:

allows ICMP traffic to the router
allows all traffic from the bridged LAN ports to the router
allows all traffic from the router to the internet
allows all traffic from the LAN to the internet via the L2TP service
blocks all remaining traffic

We will also set up two extra rules:

a source NAT rule so that IPv4 traffic that is sent via the L2TP service is NAT'd to the external IP A&A provided.
a mangle rule to clamp MSS to path MTU - this ensures that you don't have problems accessing services like HTTPS sites.

IPv4 firewall

Go to IP, Firewall and select the Filter Rules tab.
Add a new rule using the + button. Set the following fields:
1. General, Chain: "input"
2. General, Connection State: tick "established" and "related"
3. Action, Action: "accept"
4. Use the Comment button to add a comment saying "input: allow established & related traffic"
5. Save the rule with OK
Add a new rule:
1. General, Chain: "forward"
2. General, Connection State: tick "established" and "related"
3. Action, Action: "accept"
4. Comment: "forward: allow established & related traffic"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "input".
2. General, Protocol: "icmp".
3. Action, Action: "accept".
4. Comment: "input: allow all ICMP".
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "input"
2. General, In. Interface: "bridge-l2tp-lan"
3. Action, Action: "accept"
4. Comment: "input: allow all from L2TP LAN"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "forward"
2. General, In. Interface: "bridge-l2tp-lan"
3. Action, Action: "accept"
4. Comment: "forward: allow all from L2TP LAN"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "input"
2. Action, Action: "drop"
3. Comment: "input: drop all remaining traffic"
4. Save the rule with OK
Add a new rule:
1. General, Chain: "forward"
2. Action, Action: "drop"
3. Comment: "forward: drop all remaining traffic"
4. Save the rule with OK.
Go to the NAT tab, and add a new rule with +:
1. General, Chain: "srcnat"
2. General, Src. Address: "192.168.88.0/24"
3. General, Out. Interface: "l2tp-aaisp"
4. Action, Action: "masquerade"
5. Comment: "NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address"
6. Save the rule with OK. This rule will show up in red with a warning until we enable the l2tp-aaisp interface in a moment.
Go to the Mangle tab, and add a new rule with +:
1. General, Chain: "forward"
2. General, Protocol: "tcp"
3. General, Out. Interface: "l2tp-aaisp"
4. Advanced, TCP Flags: select "syn"
5. Action, Action: "change MSS"
6. Action, New TCP MSS: "clamp to pmtu"
7. Comment: "TCP: clamp MSS to PMTU"
8. Save the rule with OK. This rule will show up in red with a warning until we enable the l2tp-aaisp interface in a moment.

IPv6 firewall

Go to IPv6, Firewall and select the Filter Rules tab.
Add a new rule using the + button. Set the following fields:
1. General, Chain: "input"
2. General, Connection State: tick "established" and "related"
3. Action, Action: "accept"
4. Use the Comment button to add a comment saying "input: allow established & related traffic"
5. Save the rule with OK
Add a new rule:
1. General, Chain: "forward"
2. General, Connection State: tick "established" and "related"
3. Action, Action: "accept"
4. Comment: "forward: allow established & related traffic"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "input".
2. General, Protocol: "icmpv6".
3. Action, Action: "accept".
4. Comment: "input: allow all ICMP"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "forward".
2. General, Protocol: "icmpv6".
3. Action, Action: "accept".
4. Comment: "forward: allow all ICMP"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "input"
2. General, In. Interface: "bridge-l2tp-lan"
3. Action, Action: "accept"
4. Comment: "input: allow all from L2TP LAN"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "forward"
2. General, In. Interface: "bridge-l2tp-lan"
3. Action, Action: "accept"
4. Comment: "forward: allow all from L2TP LAN"
5. Save the rule with OK.
Add a new rule:
1. General, Chain: "input"
2. Action, Action: "drop"
3. Comment: "input: drop all remaining traffic"
4. Save the rule with OK
Add a new rule:
1. General, Chain: "forward"
2. Action, Action: "drop"
3. Comment: "forward: drop all remaining traffic"
4. Save the rule with OK.
Go to the Mangle tab, and add a new rule with +:
1. General, Chain: "forward"
2. General, Protocol: "tcp"
3. General, Out. Interface: "l2tp-aaisp"
4. Advanced, TCP Flags: select "syn"
5. Action, Action: "change MSS"
6. Action, New TCP MSS: "clamp to pmtu"
7. Comment: "TCP: clamp MSS to PMTU"
8. Save the rule with OK. This rule will show up in red with a warning until we enable the l2tp-aaisp interface in a moment.

Connecting

Now that we have the network interfaces & a basic firewall configured, we can connect to the A&A L2TP service.

Go to Interfaces from the WinBox menu, and double click on "l2tp-aaisp".
Click Enable.
Change to the Status tab, and you should see your L2TP tunnel connect. You should see your assigned IPv4 address in the Local Address field, and "81.187.81.187" in Remote Address.

Using a public IPv4 block

Some A&A customers have a block of public IPs allocated to their L2TP service. This can also be configured with RouterOS.

For this, we'll use "ether4" and "ether5" to create a separate bridge for the public IPs. We'll allow *all* traffic to these IPs, so it is important for you to have firewalls enabled & configured on each device you connect.

In our example, we'll use 198.51.100.56/29. You should find the range allocated to you in A&A's control pages.

Allocating an extra IPv6 subnet

You should allocate a second /64 subnet of IPv6 addresses to go with the public IPv4 block. This can be done in the control pages for your line:

In the IP addresses section, click Add /64.
In the new page that loads, make a note of the new subnet that is allocated. In my example, it is 2001:8b0:db8:acb2::/64.
Tick the right checkbox for IP Routing so this subnet is sent to your L2TP service. If your username for L2TP is "example@a.1" for example, that's the checkbox labelled 1. If your username for L2TP is "example@a.2", it would be a checkbox labelled 2.
Click OK to save.

Changes to IP routing only apply when you disconnect and reconnect your L2TP service. You can do this by going to Interfaces in the WinBox menu, double clicking on the "l2tp-aaisp" interface, then click Disable, wait a few seconds, and click Enable. Then click OK to save.

Setting up the new bridge

First, we'll need to remove the "ether4" and "ether5" ports from the existing bridge:

Open Bridge from the WinBox menu.
Go to the Ports tab.
Select "ether4", and delete it with the - button.
Select "ether5", and delete it with the - button.
Go to the Bridge tab.
Click + to create a second bridge.
Set an appropriate Name. I named mine "bridge-l2tp-public".
Save the new bridge with OK.
Change to the Ports tab, and add a new port using +.
For Interface, select "ether4". For Bridge select your new "bridge-l2tp-public" bridge. Save the port using OK.
Repeat the last two steps for "ether5".

IPv4 address

First, find the IP range assigned to you in the control pages. In our example it is 198.51.100.56/29.

A /29 is made up of 8 IP addresses, of which 6 are typically usable. The usable range for our example /29 is 198.51.100.57 to 198.51.100.62. If you're not sure for your range, use a CIDR calculator such as https://cidr.xyz/.

We will use the first IP in the block as our router's IP - so for our example, 198.51.100.57. The rest of the usable IPs (198.51.100.58-198.51.100.62) can be assigned by you to any device you wish to connect. You'll use the router's IP as the gateway for any device you configure.

To set up the IPv4 address:

From the WinBox menu, open IP, Addresses, and click + to create a new IP address.
For Address, set "198.51.100.57/29". Leave Network blank, and set Interface to "bridge-l2tp-public".
Save the address with OK.

IPv6 address

Find the second IPv6 subnet you allocated earlier - for our example it is 2001:8b0:db8:acb2::/64. We will use an address ending in ::1 in this subnet for our router's IPv6 address. For our example, it will be: 2001:8b0:db8:acb2::1/64.

To set up the IPv6 address:

From the WinBox menu, open IPv6, Addresses, and click + to create a new IP address.
For Address, set "2001:8b0:db8:acb2::1/64". Leave Network blank, and set Interface to "bridge-l2tp-public".
Advertise can be ticked, or not - if it is ticked, devices will automatically configure themselves for IPv6, if it is unticked you will have to configure them manually. I prefer to leave advertising disabled for an internet-facing public port.
Save the address with OK.

Firewall

We will add some extra firewall rules - these rules will allow *all* traffic to the public IP ranges, and allow traffic from the public IP ranges to the internet, and to the DNS server on the router.

However, we will not allow the public IP ranges to initiate connections to the LAN bridge we set up earlier.

IPv4 firewall

Go to IP, Firewall and select the Filter Rules tab.
Add a new rule:
1. General, Chain: "input"
2. General, Protocol: "udp"
3. Dst. Port: "53"
4. General, In. Interface: "bridge-l2tp-public"
5. Action, Action: "accept"
6. Comment: "input: allow UDP DNS from L2TP LAN"
7. Save the rule with OK.
Add a new rule:
1. General, Chain: "input"
2. General, Protocol: "tcp"
3. Dst. Port: "53"
4. General, In. Interface: "bridge-l2tp-public"
5. Action, Action: "accept"
6. Comment: "input: allow TCP DNS from L2TP LAN"
7. Save the rule with OK.
Add a new rule:
1. General, Chain: "forward"
2. General, In. Interface: "bridge-l2tp-public"
3. General, Out. Interface: "l2tp-aaisp"
4. Action, Action: "accept"
5. Comment: "forward: allow from L2TP public bridge to the internet"
6. Save the rule with OK.
Add a new rule:
1. General, Chain: "forward"
2. General, In. Interface: "l2tp-aaisp"
3. General, Out. Interface: "bridge-l2tp-public"
4. Action, Action: "accept"
5. Comment: "forward: allow from the internet to the L2TP public bridge"
6. Save the rule with OK.

Rules can be re-ordered in the Firewall list by dragging them up and down. Drag these four new rules above the two "drop all remaining traffic" rules.

IPv6 firewall

We'll repeat exactly the same rules for IPv6:

Go to IPv6, Firewall and select the Filter Rules tab.
Add a new rule:
1. General, Chain: "input"
2. General, Protocol: "udp"
3. Dst. Port: "53"
4. General, In. Interface: "bridge-l2tp-public"
5. Action, Action: "accept"
6. Comment: "input: allow UDP DNS from L2TP LAN"
7. Save the rule with OK.
Add a new rule:
1. General, Chain: "input"
2. General, Protocol: "tcp"
3. Dst. Port: "53"
4. General, In. Interface: "bridge-l2tp-public"
5. Action, Action: "accept"
6. Comment: "input: allow TCP DNS from L2TP LAN"
7. Save the rule with OK.
Add a new rule:
1. General, Chain: "forward"
2. General, In. Interface: "bridge-l2tp-public"
3. General, Out. Interface: "l2tp-aaisp"
4. Action, Action: "accept"
5. Comment: "forward: allow from L2TP public bridge to the internet"
6. Save the rule with OK.
Add a new rule:
1. General, Chain: "forward"
2. General, In. Interface: "l2tp-aaisp"
3. General, Out. Interface: "bridge-l2tp-public"
4. Action, Action: "accept"
5. Comment: "forward: allow from the internet to the L2TP public bridge"
6. Save the rule with OK.

Rules can be re-ordered in the Firewall list by dragging them up and down. Drag these four new rules above the two "drop all remaining traffic" rules.

Conclusion

You should now have a working second bridge on ports 4 and 5 that allows you to configure internet facing IP addresses.

These IP addresses are not firewalled by the router, so you must ensure you have a suitable firewall on any device before you connect it to these ports.

CLI config example

This config example is more useful for RouterOS experts:

Base configuration

/interface bridge
add name=bridge-l2tp-lan
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-l2tp-lan name=dhcp1
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes connect-to=l2tp.aa.net.uk \
    disabled=no name=l2tp-aaisp profile=default use-peer-dns=exclusively \
    user=example@a.1
/interface bridge port
add bridge=bridge-l2tp-lan interface=ether2
add bridge=bridge-l2tp-lan interface=ether3
add bridge=bridge-l2tp-lan interface=ether4
add bridge=bridge-l2tp-lan interface=ether5
/ip address
add address=192.168.88.1/24 interface=bridge-l2tp-lan network=192.168.88.0
/ip dhcp-client
add default-route-distance=255 interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "input: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "forward: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=input comment="input: allow all ICMP" protocol=icmp
add action=accept chain=input comment="input: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=accept chain=forward comment="forward: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=drop chain=input comment="input: drop all remaining traffic"
add action=drop chain=forward comment="forward: drop all remaining traffic"
/ip firewall mangle
add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\
    clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \
    tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address" out-interface=\
    !bridge-l2tp-lan src-address=192.168.88.0/24
/ipv6 address
add address=2001:8b0:db8:acb1::1 interface=bridge-l2tp-lan
/ipv6 firewall filter
add action=accept chain=input comment=\
    "input: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "forward: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=input comment="input: allow all ICMP" protocol=icmpv6
add action=accept chain=forward comment="forward: allow all ICMP" protocol=\
    icmpv6
add action=accept chain=input comment="input: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=accept chain=forward comment="forward: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=drop chain=input comment="input: drop all remaining traffic"
add action=drop chain=forward comment="forward: drop all remaining traffic"
/ipv6 firewall mangle
add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\
    clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \
    tcp-flags=syn
add action=accept chain=forward
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.aa.net.uk
/system routerboard settings
set auto-upgrade=yes

With a block of IPv4 IPs

/interface bridge
add name=bridge-l2tp-lan
add name=bridge-l2tp-public
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes connect-to=l2tp.aa.net.uk \
    disabled=no name=l2tp-aaisp profile=default use-peer-dns=exclusively \
    user=example@a.1
/interface bridge port
add bridge=bridge-l2tp-lan interface=ether2
add bridge=bridge-l2tp-lan interface=ether3
add bridge=bridge-l2tp-public interface=ether4
add bridge=bridge-l2tp-public interface=ether5
/ip address
add address=192.168.88.1/24 interface=bridge-l2tp-lan network=192.168.88.0
add address=198.51.100.57/29 interface=bridge-l2tp-public network=\
    198.51.100.56
/ip dhcp-client
add default-route-distance=255 interface=ether1
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge-l2tp-lan name=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="input: allow all ICMP" protocol=icmp
add action=accept chain=input comment="input: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=accept chain=forward comment="forward: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=accept chain=input comment=\
    "input: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "forward: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=input comment="input: allow UDP DNS from L2TP LAN" \
    dst-port=53 in-interface=bridge-l2tp-public protocol=udp
add action=accept chain=input comment="input: allow TCP DNS from L2TP LAN" \
    dst-port=53 in-interface=bridge-l2tp-public protocol=tcp
add action=accept chain=forward comment=\
    "forward: allow from L2TP public bridge to the internet" in-interface=\
    bridge-l2tp-public out-interface=l2tp-aaisp
add action=accept chain=forward comment=\
    "forward: allow from the internet to the L2TP public bridge" \
    in-interface=l2tp-aaisp out-interface=bridge-l2tp-public
add action=drop chain=input comment="input: drop all remaining traffic"
add action=drop chain=forward comment="forward: drop all remaining traffic"
/ip firewall mangle
add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\
    clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \
    tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address" out-interface=\
    !bridge-l2tp-lan src-address=192.168.88.0/24
/ipv6 address
add address=2001:8b0:db8:acb1::1 interface=bridge-l2tp-lan
add address=2001:8b0:db8:acb2::1 advertise=no interface=bridge-l2tp-public
/ipv6 firewall filter
add action=accept chain=input comment="input: allow all ICMP" protocol=icmpv6
add action=accept chain=forward comment="forward: allow all ICMP" protocol=\
    icmpv6
add action=accept chain=input comment="input: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=accept chain=forward comment="forward: allow all from L2TP LAN" \
    in-interface=bridge-l2tp-lan
add action=accept chain=input comment=\
    "input: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "forward: allow established & related traffic" connection-state=\
    established,related
add action=accept chain=input comment="input: allow UDP DNS from L2TP LAN" \
    dst-port=53 in-interface=bridge-l2tp-public protocol=udp
add action=accept chain=input comment="input: allow TCP DNS from L2TP LAN" \
    dst-port=53 in-interface=bridge-l2tp-public protocol=tcp
add action=accept chain=forward comment=\
    "forward: allow from L2TP public bridge to the internet" in-interface=\
    bridge-l2tp-public out-interface=l2tp-aaisp
add action=accept chain=forward comment=\
    "forward: allow from the internet to the L2TP public bridge" \
    in-interface=l2tp-aaisp out-interface=bridge-l2tp-public
add action=drop chain=input comment="input: drop all remaining traffic"
add action=drop chain=forward comment="forward: drop all remaining traffic"
/ipv6 firewall mangle
add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\
    clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \
    tcp-flags=syn
add action=accept chain=forward
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.aa.net.uk
/system routerboard settings
set auto-upgrade=yes

Performance tests

There are many factors that affect the throughput you'll achieve, but I have tested the following devices using the 600mbit Business L2TP service over a gigabit fibre connection with several different speed tests, including:

A&A's librespeed tester at https://speedtest.aa.net.uk/
iperf3 to A&A's iperf3 server
Steam downloads
HTTP downloads from major CDNs such as Fastly
speedtest.net
ThinkBroadband's speed tester

Please note that these tests all use large packet sizes, and if your use cases use small packets you can expect lower performance. There is no substitute for testing with your own usecase!

Using these tests, I achieved the following results:

RB4011: typically hits the 600mbit service cap with single or multiple connections
hAP ax2: approx 450mbit max with a single connection, 500-600mbit with multiple connections
hAP ac2: approx 350-400mbit max with a single connection, approx 450mbit max with multiple connections