MikroTik Config: cAP Lite Wifi Router w/L2TP VPN & Guest Wifi

MikroTik Config: cAP Lite Wifi Router w/L2TP VPN & Guest Wifi

This is an example configuration file for the MikroTik cAP Lite.  The cAP Lite is a tiny access point device w/ full RouterOS router functionality.  The router features 1 10/100 ethernet interface and can be powered with 5V MicroUSB or any PoE inject 10-60V.

cAP lite Config Diagram – Click to Enlarge

Config Features

  • Wired WAN
  • Wifi LAN
  • Firewall/NAT
  • Isolated Guest Wifi Network
  • L2TP over IPSec Remote Access VPN

Configuration File Home AP+Router w/L2TP VPN & Guest Wifi

# nov/30/2017 14:01:27 by RouterOS 6.40.5
# reference = https://jcutrer.com/howto/networking/mikrotik/mikrotik-rbcapl-…e-config-home-ap
# revision = 1.0
# model = RouterBOARD cAP L-2nD
/interface bridge
add comment="LAN Bridge" name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce comment=Wifi \
    country="united states" disabled=no distance=indoors frequency=auto mode=ap-bridge \
    rx-chains=0,1 ssid="MikroTik" tx-chains=0,1 wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wlan1 comment=Wifi
/interface wireless nstreme
set wlan1 comment=Wifi
/ip neighbor discovery
set ether1 discover=no
# Wifi Security Settings
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=mywifisecret \
# Guest Wifi Security Settings
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=profile-guest \
    supplicant-identity=MikroTik wpa-pre-shared-key=guestpassword wpa2-pre-shared-key=\
# Guest Wifi Interface
/interface wireless
add comment="Guest Wifi" disabled=no master-interface=wlan1 \
    name=wlan2 security-profile=profile-guest ssid="MikroTik-Guest"
/interface wireless manual-tx-power-table
set wlan2 comment="Guest Wifi"
/interface wireless nstreme
set wlan2 comment="Guest Wifi"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=
add name=vpn ranges=
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/ppp profile
set *FFFFFFFE local-address= remote-address=vpn
/interface bridge filter
add action=drop chain=forward comment="Isolate Guest Wifi" in-interface=wlan2
add action=drop chain=forward comment="Isolate Guest Wifi" out-interface=wlan2
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=wlan2
/ip firewall connection tracking
set tcp-established-timeout=5h
# Enable L2TP Server and Set PreShared Key
/interface l2tp-server server
set enabled=yes ipsec-secret=myvpnsecret use-ipsec=yes
/ip address
add address= interface=wlan1 network=
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address= gateway= netmask=24
# Begin Firewall Rules
/ip firewall filter
add action=accept chain=input comment="Allow Ping (icmp)" protocol=icmp
add action=accept chain=input comment="Allow established" connection-state=established
add action=accept chain=input comment="Allow related" connection-state=related
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (1701/udp)" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow L2TP VPN (4500/udp)" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow L2TP VPN (500/udp)" dst-port=500 protocol=udp
add action=drop chain=input comment="Deny All input from WAN" in-interface=ether1
add action=drop chain=forward comment="deny new,invalid,untracked connections" \
    connection-state=invalid,new,untracked in-interface=ether1
add action=accept chain=forward comment="allow established,related connections" \
    connection-state=established,related in-interface=ether1
add action=drop chain=forward comment="deny All forward from WAN" in-interface=ether1
# Begin NAT Rules
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
# Disable Unneeded IP Services
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
# VPN User Account
/ppp secret
add name=vpnuser password=vpnpass
/system clock
set time-zone-name=America/New_York
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=wlan1
add interface=wlan2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=wlan1
add interface=wlan2

Download this File cap-lite-example-config.rsc

Customize Before Use

Before you use the above configuration in your router you will want to change the WiFi SSIDs, Wireless Password, L2TP Shared Secret, PPP username/password.

  • Line 10: Wireless SSID
  • Line 29: Guest Wireless SSID
  • Line 20-21: Wireless Password
  • Line 24-25: Guest Wireless Password
  • Line 54: IPSec Secret (PreShared Key)
  • Line 85: VPN username & password

Configuration Details

  • WAN Interface: ether1 (IP:DHCP Assigned)
  • LAN Interface: bridge (IP:
  • Wifi Interface: wlan1 (SSID: Mikrotik)
  • Guest Wifi Interface: wlan2 (SSID: Mikrotik-Guest)
  • LAN Subnet:
  • DHCP Pool:
  • VPN Pool:


cAP Lite Model Number: RBcAPL-2nD

What’s Next? Checkout my other MikroTik Tutorials!

NetScout LinkRunner G2

LinkRunner G2 is the ultimate network cable test tool

CAT5 Cable Tester, Measure Cable Length,
PoE Voltage, Network Connectivity, Switch Port ID
Optional Wireless & Fiber Optics Modules
Check Price on Amazon


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ads Blocker Image Powered by Code Help Pro

🙏🙏A Humble Request to Disable AdBlock 🙏🙏

You can close this message & continue reading but...
❤️❤️❤️ Please consider visiting one of my sponsors first ❤️❤️❤️

DigitalOcean 🚀

Sign up and get a $200, 60-day credit to try DO.
Spend $25 after your credit expires and I will also get $25 in credit!
DigitalOcean Referral Badge

Pictory 🤖

Create amazing videos using Pictorys AI powered software.
Its FREE to create your first 3 video projects

Hi Reader, I noticed that you are using an ad blocker while visiting my website. While I completely understand that excessive ads can hinder your browsing experience, ad revenue helps pay for the cost associated with operating this website.

jcutrer.com is a labor of love, created with the primary aim to provide you with quality content, free of cost. It’s a space where I share information, ideas, and insights that I hope have a meaningful impact. However, maintaining and updating this platform incurs substantial costs.