User:TomJepp/RouterOS L2TP: Difference between revisions

This guide was written by the A&A community & was tested using RouterOS 7.16.1 on several Mikrotik routers.

It was tested with the following routers:

* '''[https://mikrotik.com/product/rb4011igs_rm RB4011]'''

* '''[https://mikrotik.com/product/hap_ax2 hAP ax2]'''

* '''[https://mikrotik.com/product/hap_ac2 hAP ac2]'''

This config should also work well with other affordable Mikrotik routers - such as the [https://mikrotik.com/product/RB750Gr3 hEX], or the [https://mikrotik.com/product/hex_2024 hEX Refresh]. Very low end routers such as the [https://mikrotik.com/product/RB941-2nD hAP Lite] may work, but are not recommended.

# Some users of the L2TP service have a small subnet of public IPv4 addresses routed - such as a /29 or a /28. There is an appendix at the end for this.

# Repeat the last two steps for "ether3", "ether4", and "ether5".

## '''General, Chain''': "input"

## '''General, Connection State''': tick "established" and "related"

## '''Action, Action''': "accept"

## Use the '''Comment''' button to add a comment saying "input: allow established & related traffic"

## Save the rule with '''OK'''

# Add a new rule:

## '''General, Chain''': "forward"

## '''General, Connection State''': tick "established" and "related"

## '''Action, Action''': "accept"

## '''Comment''': "forward: allow established & related traffic"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "input".

## '''General, Protocol''': "icmp".

## '''Action, Action''': "accept".

## '''Comment''': "input: allow all ICMP".

# Add a new rule using the '''+''' button. Set the following fields:

## '''General, Chain''': "input"

## '''General, Connection State''': tick "established" and "related"

## '''Action, Action''': "accept"

## Use the '''Comment''' button to add a comment saying "input: allow established & related traffic"

## Save the rule with '''OK'''

# Add a new rule:

## '''General, Chain''': "forward"

## '''General, Connection State''': tick "established" and "related"

## '''Action, Action''': "accept"

## '''Comment''': "forward: allow established & related traffic"

## Save the rule with '''OK'''.

If your tunnel came up successfully you should now be connected. Devices plugged into ether2, ether3, ether4, and ether5 should be able to get IP addresses automatically, and their traffic should be sent down the L2TP tunnel.

If you have an IPv4 block to use, then continue on to the next section - otherwise, you're done!

== Using a public IPv4 block ==

Some A&A customers have a block of public IPs allocated to their L2TP service. This can also be configured with RouterOS.

For this, we'll use "ether4" and "ether5" to create a separate bridge for the public IPs. We'll allow *all* traffic to these IPs, so it is important for you to have firewalls enabled & configured on each device you connect.

In our example, we'll use 198.51.100.56/29. You should find the range allocated to you in A&A's control pages.

=== Allocating an extra IPv6 subnet ===

You should allocate a second /64 subnet of IPv6 addresses to go with the public IPv4 block. This can be done in the control pages for your line:

# In the '''IP addresses''' section, click '''Add /64'''.

# In the new page that loads, make a note of the new subnet that is allocated. In my example, it is 2001:8b0:db8:acb2::/64.

# Tick the right checkbox for '''IP Routing''' so this subnet is sent to your L2TP service. If your username for L2TP is "example@a.1" for example, that's the checkbox labelled '''1'''. If your username for L2TP is "example@a.2", it would be a checkbox labelled '''2'''.

# Click '''OK''' to save.

Changes to IP routing only apply when you disconnect and reconnect your L2TP service. You can do this by going to '''Interfaces''' in the WinBox menu, double clicking on the "l2tp-aaisp" interface, then click '''Disable''', wait a few seconds, and click '''Enable'''. Then click '''OK''' to save.

=== Setting up the new bridge ===

First, we'll need to remove the "ether4" and "ether5" ports from the existing bridge:

# Open '''Bridge''' from the WinBox menu.

# Go to the '''Ports''' tab.

# Select "ether4", and delete it with the '''-''' button.

# Select "ether5", and delete it with the '''-''' button.

# Go to the '''Bridge''' tab.

# Click '''+''' to create a second bridge.

# Set an appropriate '''Name'''. I named mine "bridge-l2tp-public".

# Save the new bridge with '''OK'''.

# Change to the '''Ports''' tab, and add a new port using '''+'''.

# For '''Interface''', select "ether4". For '''Bridge''' select your new "bridge-l2tp-public" bridge. Save the port using '''OK'''.

# Repeat the last two steps for "ether5".

==== IPv4 address ====

First, find the IP range assigned to you in the control pages. In our example it is 198.51.100.56/29.

A /29 is made up of 8 IP addresses, of which 6 are typically usable. The usable range for our example /29 is 198.51.100.57 to 198.51.100.62. If you're not sure for your range, use a CIDR calculator such as https://cidr.xyz/.

We will use the first IP in the block as our router's IP - so for our example, 198.51.100.57. The rest of the usable IPs (198.51.100.58-198.51.100.62) can be assigned by you to any device you wish to connect. You'll use the router's IP as the gateway for any device you configure.

To set up the IPv4 address:

# From the WinBox menu, open '''IP, Addresses''', and click '''+''' to create a new IP address.

# For '''Address''', set "198.51.100.57/29". Leave '''Network''' blank, and set '''Interface''' to "bridge-l2tp-public".

# Save the address with '''OK'''.

==== IPv6 address ====

Find the second IPv6 subnet you allocated earlier - for our example it is 2001:8b0:db8:acb2::/64. We will use an address ending in ::1 in this subnet for our router's IPv6 address. For our example, it will be: 2001:8b0:db8:acb2::1/64.

To set up the IPv6 address:

# From the WinBox menu, open '''IPv6, Addresses''', and click '''+''' to create a new IP address.

# For '''Address''', set "2001:8b0:db8:acb2::1/64". Leave '''Network''' blank, and set '''Interface''' to "bridge-l2tp-public".

# '''Advertise''' can be ticked, or not - if it is ticked, devices will automatically configure themselves for IPv6, if it is unticked you will have to configure them manually. I prefer to leave advertising disabled for an internet-facing public port.

# Save the address with '''OK'''.

=== Firewall ===

We will add some extra firewall rules - these rules will allow *all* traffic to the public IP ranges, and allow traffic from the public IP ranges to the internet, and to the DNS server on the router.

However, we will not allow the public IP ranges to initiate connections to the LAN bridge we set up earlier.

==== IPv4 firewall ====

# Go to '''IP, Firewall''' and select the '''Filter Rules''' tab.

# Add a new rule:

## '''General, Chain''': "input"

## '''General, Protocol''': "udp"

## '''Dst. Port''': "53"

## '''General, In. Interface''': "bridge-l2tp-public"

## '''Action, Action''': "accept"

## '''Comment''': "input: allow UDP DNS from L2TP LAN"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "input"

## '''General, Protocol''': "tcp"

## '''Dst. Port''': "53"

## '''General, In. Interface''': "bridge-l2tp-public"

## '''Action, Action''': "accept"

## '''Comment''': "input: allow TCP DNS from L2TP LAN"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "forward"

## '''General, In. Interface''': "bridge-l2tp-public"

## '''General, Out. Interface''': "l2tp-aaisp"

## '''Action, Action''': "accept"

## '''Comment''': "forward: allow from L2TP public bridge to the internet"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "forward"

## '''General, In. Interface''': "l2tp-aaisp"

## '''General, Out. Interface''': "bridge-l2tp-public"

## '''Action, Action''': "accept"

## '''Comment''': "forward: allow from the internet to the L2TP public bridge"

## Save the rule with '''OK'''.

Rules can be re-ordered in the Firewall list by dragging them up and down. Drag these four new rules above the two "drop all remaining traffic" rules.

==== IPv6 firewall ====

We'll repeat exactly the same rules for IPv6:

# Go to '''IPv6, Firewall''' and select the '''Filter Rules''' tab.

# Add a new rule:

## '''General, Chain''': "input"

## '''General, Protocol''': "udp"

## '''Dst. Port''': "53"

## '''General, In. Interface''': "bridge-l2tp-public"

## '''Action, Action''': "accept"

## '''Comment''': "input: allow UDP DNS from L2TP LAN"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "input"

## '''General, Protocol''': "tcp"

## '''Dst. Port''': "53"

## '''General, In. Interface''': "bridge-l2tp-public"

## '''Action, Action''': "accept"

## '''Comment''': "input: allow TCP DNS from L2TP LAN"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "forward"

## '''General, In. Interface''': "bridge-l2tp-public"

## '''General, Out. Interface''': "l2tp-aaisp"

## '''Action, Action''': "accept"

## '''Comment''': "forward: allow from L2TP public bridge to the internet"

## Save the rule with '''OK'''.

# Add a new rule:

## '''General, Chain''': "forward"

## '''General, In. Interface''': "l2tp-aaisp"

## '''General, Out. Interface''': "bridge-l2tp-public"

## '''Action, Action''': "accept"

## '''Comment''': "forward: allow from the internet to the L2TP public bridge"

## Save the rule with '''OK'''.

Rules can be re-ordered in the Firewall list by dragging them up and down. Drag these four new rules above the two "drop all remaining traffic" rules.

=== Conclusion ===

You should now have a working second bridge on ports 4 and 5 that allows you to configure internet facing IP addresses.

These IP addresses are not firewalled by the router, so you '''must''' ensure you have a suitable firewall on any device before you connect it to these ports.

=== Base configuration ===

add action=accept chain=input comment=\

"input: allow established & related traffic" connection-state=\

established,related

add action=accept chain=forward comment=\

"forward: allow established & related traffic" connection-state=\

established,related

add action=drop chain=input comment="input: drop all remaining traffic"

add action=drop chain=forward comment="forward: drop all remaining traffic"

/ip firewall mangle

add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\

clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \

tcp-flags=syn

/ip firewall nat

add action=masquerade chain=srcnat comment=\

"NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address" out-interface=\

!bridge-l2tp-lan src-address=192.168.88.0/24

/ipv6 address

add address=2001:8b0:db8:acb1::1 interface=bridge-l2tp-lan

/ipv6 firewall filter

add action=accept chain=input comment="input: allow all ICMP" protocol=icmpv6

add action=accept chain=forward comment="forward: allow all ICMP" protocol=\

icmpv6

add action=accept chain=input comment="input: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=accept chain=forward comment="forward: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=drop chain=input comment="input: drop all remaining traffic"

add action=drop chain=forward comment="forward: drop all remaining traffic"

/ipv6 firewall mangle

add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\

clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \

tcp-flags=syn

add action=accept chain=forward

/system clock

set time-zone-name=Europe/London

/system note

set show-at-login=no

/system ntp client

set enabled=yes

/system ntp client servers

add address=time.aa.net.uk

/system routerboard settings

set auto-upgrade=yes

</pre>

=== With a block of IPv4 IPs ===

<pre>

/interface bridge

add name=bridge-l2tp-lan

add name=bridge-l2tp-public

/ip pool

add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254

/interface l2tp-client

add add-default-route=yes allow-fast-path=yes connect-to=l2tp.aa.net.uk \

disabled=no name=l2tp-aaisp profile=default use-peer-dns=exclusively \

user=example@a.1

/interface bridge port

add bridge=bridge-l2tp-lan interface=ether2

add bridge=bridge-l2tp-lan interface=ether3

add bridge=bridge-l2tp-public interface=ether4

add bridge=bridge-l2tp-public interface=ether5

/ip address

add address=192.168.88.1/24 interface=bridge-l2tp-lan network=192.168.88.0

add address=198.51.100.57/29 interface=bridge-l2tp-public network=\

198.51.100.56

/ip dhcp-client

add default-route-distance=255 interface=ether1

/ip dhcp-server

add address-pool=dhcp_pool0 interface=bridge-l2tp-lan name=dhcp1

/ip dhcp-server network

add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns

set allow-remote-requests=yes

/ip firewall filter

add action=accept chain=input comment="input: allow all ICMP" protocol=icmp

add action=accept chain=input comment="input: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=accept chain=forward comment="forward: allow all from L2TP LAN" \

in-interface=bridge-l2tp-lan

add action=accept chain=input comment=\

"input: allow established & related traffic" connection-state=\

established,related

add action=accept chain=forward comment=\

"forward: allow established & related traffic" connection-state=\

established,related

add action=accept chain=input comment="input: allow UDP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=udp

add action=accept chain=input comment="input: allow TCP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=tcp

add action=accept chain=forward comment=\

"forward: allow from L2TP public bridge to the internet" in-interface=\

bridge-l2tp-public out-interface=l2tp-aaisp

add action=accept chain=forward comment=\

"forward: allow from the internet to the L2TP public bridge" \

in-interface=l2tp-aaisp out-interface=bridge-l2tp-public

add address=2001:8b0:db8:acb2::1 advertise=no interface=bridge-l2tp-public

add action=accept chain=input comment="input: allow UDP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=udp

add action=accept chain=input comment="input: allow TCP DNS from L2TP LAN" \

dst-port=53 in-interface=bridge-l2tp-public protocol=tcp

add action=accept chain=forward comment=\

"forward: allow from L2TP public bridge to the internet" in-interface=\

bridge-l2tp-public out-interface=l2tp-aaisp

add action=accept chain=forward comment=\

"forward: allow from the internet to the L2TP public bridge" \

in-interface=l2tp-aaisp out-interface=bridge-l2tp-public

== Performance tests ==

There are many factors that affect the throughput you'll achieve, but I have tested the following devices using the 600mbit Business L2TP service over a gigabit fibre connection with several different speed tests, including:

* A&A's librespeed tester at https://speedtest.aa.net.uk/

* iperf3 to A&A's iperf3 server

* Steam downloads

* HTTP downloads from major CDNs such as Fastly

* speedtest.net

* ThinkBroadband's speed tester

Please note that these tests all use large packet sizes, and if your use cases use small packets you can expect lower performance. There is no substitute for testing with your own usecase!

Using these tests, I achieved the following results:

* '''[https://mikrotik.com/product/rb4011igs_rm RB4011]''': typically hits the 600mbit service cap with single or multiple connections

* '''[https://mikrotik.com/product/hap_ax2 hAP ax2]''': approx 450mbit max with a single connection, 500-600mbit with multiple connections

* '''[https://mikrotik.com/product/hap_ac2 hAP ac2]''': approx 350-400mbit max with a single connection, approx 450mbit max with multiple connections