MikroTik: L2TP/IPsec VPN Firewall Rules

MikroTik: L2TP/IPsec VPN Firewall Rules

When you configure a L2TP/IPSec VPN on a MikroTik RouterOS device you need to add several IP Firewall (Filter) rules to allow clients to connect from outside the network.

L2TP/IPSec Firewall Rule Set

These rules must be placed above any deny rules on the “input” chain.

The ruleset can be further condensed by combining the 3 udp rules into one.

Add these firewall rules in Winbox

If you want to avoid pasting commands into the cli you can create these firewall rules in winbox, here are some screenshots.

Winbox Screenshots - Click to Enlarge
Winbox Screenshots – Click to Enlarge

Important: Don’t forget to reorder your input rules!


I hope you found this MikroTik Tutorial about L2TP/IPsec VPN Firewall Rules useful. If it helped you out, please leave a comment below and checkout my other MikroTik Tutorials!

NetScout LinkRunner G2

LinkRunner G2 is the ultimate network cable test tool

CAT5 Cable Tester, Measure Cable Length,
PoE Voltage, Network Connectivity, Switch Port ID
Optional Wireless & Fiber Optics Modules
Check Price on Amazon

6 Replies to “MikroTik: L2TP/IPsec VPN Firewall Rules”

  1. Hi thanks for the tutorial. Is there a way to test why traffic is being dropped even though connection through Port seems to have been established.

  2. Thanks for the guide. I can connect through vpn, but I am not able to ping local addresses. Is there something else in the firewall?

    1. It may be a NAT issue depending on how the rule is configured. Having a src-nat rule that only has one match defined (outbound WAN interface) should allow the traffic between the VPN Pool IPs and the LAN subnet. I hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.