User:TomJepp/RouterOS L2TP: Difference between revisions

This guide was written by the A&A community & was tested using RouterOS 7.16.1 on several Mikrotik routers.

It was tested with the following routers:

* '''[https://mikrotik.com/product/rb4011igs_rm RB4011]'''

* '''[https://mikrotik.com/product/hap_ax2 hAP ax2]'''

* '''[https://mikrotik.com/product/hap_ac2 hAP ac2]'''

This config should also work well with other affordable Mikrotik routers - such as the [https://mikrotik.com/product/RB750Gr3 hEX], or the [https://mikrotik.com/product/hex_2024 hEX Refresh]. Very low end routers such as the [https://mikrotik.com/product/RB941-2nD hAP Lite] may work, but are not recommended.

## '''General, Connection State''': tick "established" and "related"

## Use the '''Comment''' button to add a comment saying "input: allow established & related traffic"

## Save the rule with '''OK'''

## '''General, Connection State''': tick "established" and "related"

## '''Comment''': "forward: allow established & related traffic"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "input".

## '''General, Protocol''': "icmp".

## '''Action, Action''': "accept".

## '''Comment''': "input: allow all ICMP".

## '''General, In. Interface''': "bridge-l2tp-lan"

## '''Comment''': "input: allow all from L2TP LAN"

## Save the rule with '''OK'''.

## '''General, In. Interface''': "bridge-l2tp-lan"

## '''Comment''': "forward: allow all from L2TP LAN"

# Add a new rule using the '''+''' button. Set the following fields:

## '''General, Chain''': "input"

## '''General, Connection State''': tick "established" and "related"

## '''Action, Action''': "accept"

## Use the '''Comment''' button to add a comment saying "input: allow established & related traffic"

## Save the rule with '''OK'''

# Add a new rule:

## '''General, Chain''': "forward"

## '''General, Connection State''': tick "established" and "related"

## '''Action, Action''': "accept"

## '''Comment''': "forward: allow established & related traffic"

## Save the rule with '''OK'''.

If your tunnel came up successfully you should now be connected. Devices plugged into ether2, ether3, ether4, and ether5 should be able to get IP addresses automatically, and their traffic should be sent down the L2TP tunnel.

If you have an IPv4 block to use, then continue on to the next section - otherwise, you're done!

=== Conclusion ===

You should now have a working second bridge on ports 4 and 5 that allows you to configure internet facing IP addresses.

These IP addresses are not firewalled by the router, so you '''must''' ensure you have a suitable firewall on any device before you connect it to these ports.

add action=accept chain=input comment=\

"input: allow established & related traffic" connection-state=\

established,related

add action=accept chain=forward comment=\

"forward: allow established & related traffic" connection-state=\

established,related

add action=drop chain=input comment="input: drop all remaining traffic"

add action=drop chain=forward comment="forward: drop all remaining traffic"

/ip firewall mangle

add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\

clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \

tcp-flags=syn

/ip firewall nat

add action=masquerade chain=srcnat comment=\

"NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address" out-interface=\

!bridge-l2tp-lan src-address=192.168.88.0/24

/ipv6 address

add address=2001:8b0:db8:acb1::1 interface=bridge-l2tp-lan

/ipv6 firewall filter

add action=accept chain=input comment="input: allow all ICMP" protocol=icmpv6

add action=accept chain=forward comment="forward: allow all ICMP" protocol=\

icmpv6

add action=accept chain=input comment="input: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=accept chain=forward comment="forward: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=drop chain=input comment="input: drop all remaining traffic"

add action=drop chain=forward comment="forward: drop all remaining traffic"

/ipv6 firewall mangle

add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\

clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \

tcp-flags=syn

add action=accept chain=forward

/system clock

set time-zone-name=Europe/London

/system note

set show-at-login=no

/system ntp client

set enabled=yes

/system ntp client servers

add address=time.aa.net.uk

/system routerboard settings

set auto-upgrade=yes

</pre>

=== With a block of IPv4 IPs ===

<pre>

/interface bridge

add name=bridge-l2tp-lan

add name=bridge-l2tp-public

/ip pool

add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254

/interface l2tp-client

add add-default-route=yes allow-fast-path=yes connect-to=l2tp.aa.net.uk \

disabled=no name=l2tp-aaisp profile=default use-peer-dns=exclusively \

user=example@a.1

/interface bridge port

add bridge=bridge-l2tp-lan interface=ether2

add bridge=bridge-l2tp-lan interface=ether3

add bridge=bridge-l2tp-public interface=ether4

add bridge=bridge-l2tp-public interface=ether5

/ip address

add address=192.168.88.1/24 interface=bridge-l2tp-lan network=192.168.88.0

add address=198.51.100.57/29 interface=bridge-l2tp-public network=\

198.51.100.56

/ip dhcp-client

add default-route-distance=255 interface=ether1

/ip dhcp-server

add address-pool=dhcp_pool0 interface=bridge-l2tp-lan name=dhcp1

/ip dhcp-server network

add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns

set allow-remote-requests=yes

/ip firewall filter

add action=accept chain=input comment="input: allow all ICMP" protocol=icmp

add action=accept chain=input comment="input: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=accept chain=forward comment="forward: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=accept chain=input comment=\

"input: allow established & related traffic" connection-state=\

established,related

add action=accept chain=forward comment=\

"forward: allow established & related traffic" connection-state=\

established,related

add action=accept chain=input comment="input: allow UDP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=udp

add action=accept chain=input comment="input: allow TCP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=tcp

add action=accept chain=forward comment=\

"forward: allow from L2TP public bridge to the internet" in-interface=\

bridge-l2tp-public out-interface=l2tp-aaisp

add action=accept chain=forward comment=\

"forward: allow from the internet to the L2TP public bridge" \

in-interface=l2tp-aaisp out-interface=bridge-l2tp-public

add address=2001:8b0:db8:acb2::1 advertise=no interface=bridge-l2tp-public

add action=accept chain=input comment="input: allow UDP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=udp

add action=accept chain=input comment="input: allow TCP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=tcp

add action=accept chain=forward comment=\

"forward: allow from L2TP public bridge to the internet" in-interface=\

bridge-l2tp-public out-interface=l2tp-aaisp

add action=accept chain=forward comment=\

"forward: allow from the internet to the L2TP public bridge" \

in-interface=l2tp-aaisp out-interface=bridge-l2tp-public

== Performance tests ==

There are many factors that affect the throughput you'll achieve, but I have tested the following devices using the 600mbit Business L2TP service over a gigabit fibre connection with several different speed tests, including:

* A&A's librespeed tester at https://speedtest.aa.net.uk/

* iperf3 to A&A's iperf3 server

* Steam downloads

* HTTP downloads from major CDNs such as Fastly

* speedtest.net

* ThinkBroadband's speed tester

Please note that these tests all use large packet sizes, and if your use cases use small packets you can expect lower performance. There is no substitute for testing with your own usecase!

Using these tests, I achieved the following results:

* '''[https://mikrotik.com/product/rb4011igs_rm RB4011]''': typically hits the 600mbit service cap with single or multiple connections

* '''[https://mikrotik.com/product/hap_ax2 hAP ax2]''': approx 450mbit max with a single connection, 500-600mbit with multiple connections

* '''[https://mikrotik.com/product/hap_ac2 hAP ac2]''': approx 350-400mbit max with a single connection, approx 450mbit max with multiple connections