Revision as of 09:05, 12 November 2024 (view source) TomJepp (talk \| contribs) No edit summary ← Older edit		Revision as of 21:43, 12 November 2024 (view source) TomJepp (talk \| contribs) No edit summary Newer edit →
== TODO == * v4 blocks? * DHCPv6-PD? It works but it won't be nice for multiple v6 blocks * statically configured v6? * NTP client * NTP server? probably out of scope == Before you start == # Make sure your router is running reasonably up to date RouterOS. # Make sure you know your account details provided by A&A for the L2TP connection. # Check what IP addresses you've been assigned. This guide will assume you have 1x IPv4 assigned (198.51.100.127), and a ~~/48~~single IPv6 ~~block~~/64 subnet (2001:8b0:db8:acb1::/4864) set up in the Control Pages. # Make sure you're starting with a freshly factory reset router without any default configuration. # This guide will use WinBox to set up your router. You can grab the latest version from https://mikrotik.com/download and this guide was written & tested with v3.41. A config export is provided at the end for advanced users. When you add the port that your PC is connected to, you might get disconnected from WinBox. That's normal - you should be able to reconnect after a few seconds. Now the bridge is configured, we'll set up an IPIPv4 address, an IPv6 address, time synchronisation, DNS, and DHCP server: ==== IPv4 address ==== # From the WinBox menu, open '''IP, Addresses''', and click '''+''' to create a new IP address. # For '''Address''', set "192.168.88.1/24". Leave '''Network''' blank, and set '''Interface''' to "bridge-l2tp-lan". # Save the address with '''OK'''. ~~# Now open '''IP, DNS''' from the WinBox menu and tick ''Allow Remote Requests''. Save this with '''OK'''.~~ ==== IPv6 address ==== # From the WinBox menu, open '''IPv6, Addresses''', and click '''+''' to create a new IP address. # For '''Address''', we will use an address in our subnet ending in ::1. If your assigned subnet is (for example) 2001:8b0:db8:acb1::/64, we would use "2001:8b0:db8:acb1::1/64". Leave '''Network''' blank, and set '''Interface''' to "bridge-l2tp-lan". # Tick '''Advertise'''. # Save the address with '''OK'''. ==== Time synchronisation ==== # Open '''System, NTP Client''' from the WinBox menu. # Tick '''Enabled'''. # Set '''NTP Servers''' to "time.aa.net.uk". # Leave '''VRF''' set to "main". # Click '''OK''' to save the changes. Your router's clock should synchronise automatically in the background. ==== DNS ==== # Now open '''IP, DNS''' from the WinBox menu. # Tick ''Allow Remote Requests'''. # Save this with '''OK'''. ==== DHCP ==== # Open '''IP, DHCP Server''' from the WinBox menu and click '''DHCP Setup'''. # For '''DHCP Server Interface''', select "bridge-l2tp-lan" and click '''Next'''. <pre> /interface bridge ~~add name=bridge-l2tp-lan~~ add name=bridge-l2tp-lan ~~/ip pool add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254~~ /ip pool ~~/ip dhcp-server add address-pool=dhcp_pool0 interface=bridge-l2tp-lan name=dhcp1~~ add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254 ~~/interface l2tp-client add add-default-route=yes connect-to=l2tp.aa.net.uk disabled=no name=l2tp-aaisp profile=default use-peer-dns=exclusively user=example@a.1~~ /ip dhcp-server ~~/interface bridge port add bridge=bridge-l2tp-lan interface=ether2~~ ~~/interface bridge port~~ add ~~bridge~~address-pool=dhcp_pool0 interface=bridge-l2tp-lan ~~interface~~name=~~ether3~~dhcp1 /interface ~~bridge port add bridge=bridge-~~l2tp-~~lan interface=ether4~~client add add-default-route=yes allow-fast-path=yes connect-to=l2tp.aa.net.uk \ ~~/interface bridge port add bridge=bridge-l2tp-lan interface=ether5~~ disabled=no name=l2tp-aaisp profile=default use-peer-dns=exclusively \ ~~/ip address add address=192.168.88.1/24 interface=bridge-l2tp-lan network=192.168.88.0~~ user=example@a.1 ~~/ip dhcp-client add default-route-distance=255 interface=ether1~~ /interface bridge port ~~/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1~~ add bridge=bridge-l2tp-lan interface=ether2 ~~/ip dns set allow-remote-requests=yes~~ add bridge=bridge-l2tp-lan interface=ether3 ~~/ip firewall filter add action=accept chain=input comment="input: allow all ICMP" protocol=icmp~~ add bridge=bridge-l2tp-lan interface=ether4 ~~/ip firewall filter add action=accept chain=input comment="input: allow all from L2TP LAN" in-interface=bridge-l2tp-lan~~ add bridge=bridge-l2tp-lan interface=ether5 ~~/ip firewall filter add action=accept chain=forward comment="forward: allow all from L2TP LAN" in-interface=bridge-l2tp-lan~~ /ip address ~~/ip firewall filter add action=accept chain=input comment="input: allow established & related traffic" connection-state=established,related~~ add address=192.168.88.1/24 interface=bridge-l2tp-lan network=192.168.88.0 ~~/ip firewall filter add action=accept chain=forward comment="forward: allow established & related traffic" connection-state=established,related~~ /ip dhcp-client ~~/ip firewall filter add action=drop chain=input comment="input: drop all remaining traffic"~~ add default-route-distance=255 interface=ether1 ~~/ip firewall filter add action=drop chain=forward comment="forward: drop all remaining traffic"~~ /ip dhcp-server network ~~/ip firewall mangle add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp tcp-flags=syn~~ ~~/ip firewall nat~~ add ~~action~~address=~~masquerade chain=srcnat comment="NAT: masquerade~~ 192.168.88.0/24 ~~to l2tp~~dns-~~aaisp's address" out-interface~~server=~~l2tp-aaisp~~192.168.88.1 ~~src-address~~gateway=192.168.88.~~0/24~~1 /ip dns ~~/ipv6 address add address=::1 from-pool=pool-aaisp-ipv6 interface=bridge-l2tp-lan~~ set allow-remote-requests=yes ~~/ipv6 dhcp-client add add-default-route=yes interface=l2tp-aaisp pool-name=pool-aaisp-ipv6 prefix-hint=::/64 request=address,prefix~~ /ip firewall filter ~~/ipv6 firewall filter add action=accept chain=input comment="input: allow all ICMP" protocol=icmpv6~~ ~~/ipv6 firewall filter~~ add action=accept chain=~~forward~~input comment="~~forward~~input: allow all ICMP" protocol=~~icmpv6~~icmp ~~/ipv6 firewall filter~~ add action=accept chain=input comment="input: allow all from L2TP LAN" ~~in-interface=bridge-l2tp-lan~~\ ~~/ipv6~~ ~~firewall~~ ~~filter~~ ~~add action=accept chain=forward comment="forward: allow all from L2TP LAN"~~ in-interface=bridge-l2tp-lan ~~/ipv6 firewall filter~~ add action=accept chain=~~input~~forward comment="~~input~~forward: allow ~~established~~all &from ~~related~~L2TP ~~traffic~~LAN" ~~connection-state=established,related~~\ in-interface=bridge-l2tp-lan ~~/ipv6 firewall filter add action=accept chain=forward comment="forward: allow established & related traffic" connection-state=established,related~~ ~~/ipv6 firewall filter~~ add action=accept chain=input comment=~~"input: allow DHCPv6-PD" dst-port=546 protocol=udp~~\ "input: allow established & related traffic" connection-state=\ ~~/ipv6 firewall filter add action=drop chain=input comment="input: drop all remaining traffic"~~ established,related ~~/ipv6 firewall filter add action=drop chain=forward comment="forward: drop all remaining traffic"~~ add action=accept chain=forward comment=\ ~~/ipv6 firewall mangle add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp tcp-flags=syn~~ "forward: allow established & related traffic" connection-state=\ ~~/ipv6 firewall mangle add action=accept chain=forward~~ established,related ~~/system clock set time-zone-name=Europe/London~~ add action=drop chain=input comment="input: drop all remaining traffic" ~~/system note set show-at-login=no~~ add action=drop chain=forward comment="forward: drop all remaining traffic" ~~/system routerboard settings set auto-upgrade=yes~~ /ip firewall mangle add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\ clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \ tcp-flags=syn /ip firewall nat add action=masquerade chain=srcnat comment=\ "NAT: masquerade 192.168.88.0/24 to l2tp-aaisp's address" out-interface=\ !bridge-l2tp-lan src-address=192.168.88.0/24 /ipv6 address add address=2001:8b0:db8:acb1::1 interface=bridge-l2tp-lan /ipv6 firewall filter add action=accept chain=input comment="input: allow all ICMP" protocol=icmpv6 add action=accept chain=forward comment="forward: allow all ICMP" protocol=\ icmpv6 add action=accept chain=input comment="input: allow all from L2TP LAN" \ in-interface=bridge-l2tp-lan add action=accept chain=forward comment="forward: allow all from L2TP LAN" \ in-interface=bridge-l2tp-lan add action=accept chain=input comment=\ "input: allow established & related traffic" connection-state=\ established,related add action=accept chain=forward comment=\ "forward: allow established & related traffic" connection-state=\ established,related add action=drop chain=input comment="input: drop all remaining traffic" add action=drop chain=forward comment="forward: drop all remaining traffic" /ipv6 firewall mangle add action=change-mss chain=forward comment="TCP: clamp MSS to PMTU" new-mss=\ clamp-to-pmtu out-interface=l2tp-aaisp passthrough=yes protocol=tcp \ tcp-flags=syn add action=accept chain=forward /system clock set time-zone-name=Europe/London /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=time.aa.net.uk /system routerboard settings set auto-upgrade=yes </pre>

User:TomJepp/RouterOS L2TP (view source)

Revision as of 21:43, 12 November 2024