Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            L2TP client: MikroTik

            Modified on Wed, 8 Dec, 2021 at 8:24 PM

            Overview: if we have provided you with a bespoke L2TP connection, perhaps to access a client device behind NAT or dynamic IP, then this article will show you how to connect a MikroTik device to the VPN.

            You will need the following information before you begin:

            • Admin details to acces the MikroTik device via WinBox or WebFig
            • L2TP server IP: ---.---.---.---
            • L2TP username: _ _ _ _ _ _
            • L2TP password: _ _ _ _ _ _
            • IP Sec pre-shared key: _ _ _ _ _ _ 
            • Public HTTP port number: _ _ _ _ _


            WARNING: Before you add this L2TP connection, please set a VERY complex "admin" password of at least 16 characters - including special symbols - in order to reduce your device security risks; the "admin" password is nothing to do with the L2TP password.


            From WinBox or WebFig navigate to Interfaces > Add > L2TP client > [enter the details below and click OK]


            "General" tab:

            Max MTU: 1400

            Max MRU: 1400


            "Dial out" tab:

            Connect To: {L2TP server IP}

            User: {L2TP username} 

            Password: {L2TP password} 

            Use IPsec: Yes (enabled)

            IPsec Secret: {IP Sec pre-shared key}



            Once the link is up (check IP > Addresses, and you should see an IP such as 172.16.xxx.xxx) then you can test accessing the device publically:


            http://xxx.xxx.xxx.xxx:yyyyy (replace xxx with the L2TP server IP, and replace yyyy with the public HTTP port number)


            You should now have access to port 80 on the local device; if you need another port (such as HTTPS port 443) then simply ask us for the port forwarding rule to be modified for this VPN client).



            Firewall

            The standard MikroTik firewall may block inbound traffic to the L2TP VPN. The recommended change to the firewall is to "inform" the firewall that this is legitimate traffic. Here's how:

             From WinBox or WebFig navigate to IP> Firewall> Address Lists tab > [Click + to add a new list]

            Name: RemoteSupport

            Address: 172.16.0.0/22 [Click OK]


            Navigate back to the Filter Rules tab, and look for a rule called "defconf: drop all not coming from LAN" [double-click to edit this rule] Note: some MikroTik models do not come with a default set of firewall rules, but most do.


            On the Advanced tab select RemoteSupport from the "Scr. Address List", click the box (this places an exclamation mark ! in the box), then click OK.

            Explanation: This firewall rule normally blocks all inbound traffic except from the LAN interface. We have also added the RemoteSupport (VPN) traffic to this exception; the ! mark is "not", in effect saying "only block traffic NOT from the RemoteSupport VPN, and NOT from the LAN."




            Tip: you may find this Windows VPN article useful too - https://internetservices.freshdesk.com/en/support/solutions/articles/5000866097-windows-l2tp-vpn-client-allow-internet-browsing

            By having an L2TP connection on your computer (or router) you can connect directly to the VPN clients via their 172.16.xxx.xxx IP address.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0