MikroTik: L2TP/IPsec VPN Firewall Rules
When you configure a L2TP/IPSec VPN on a MikroTik RouterOS device you need to add several IP Firewall (Filter) rules to allow clients to connect from outside the network.
L2TP/IPSec Firewall Rule Set
/ip firewall filter add action=accept chain=input in-interface=ether1 protocol=ipsec-esp \ comment="allow L2TP VPN (ipsec-esp)" add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp \ comment="allow L2TP VPN (1701/udp)" add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp \ comment="allow L2TP VPN (4500/udp)" add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp \ comment="allow L2TP VPN (500/udp)"
These rules must be placed above any deny rules on the “input” chain.
The ruleset can be further condensed by combining the 3 udp rules into one.
/ip firewall filter add action=accept chain=input in-interface=ether1 protocol=ipsec-esp \ comment="allow L2TP VPN (ipsec-esp)" add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp \ comment="allow L2TP VPN (500,4500,1701/udp)"
Add these firewall rules in Winbox
If you want to avoid pasting commands into the cli you can create these firewall rules in winbox, here are some screenshots.
Important: Don’t forget to reorder your input rules!
I hope you found this MikroTik Tutorial about L2TP/IPsec VPN Firewall Rules useful. If it helped you out, please leave a comment below and checkout my other MikroTik Tutorials!
9 Replies to “MikroTik: L2TP/IPsec VPN Firewall Rules”
Hi thanks for the tutorial. Is there a way to test why traffic is being dropped even though connection through Port seems to have been established.
This may help you https://jcutrer.com/howto/networking/mikrotik/l2tp-over-ipsec-troubleshooting
Thanks for the guide. I can connect through vpn, but I am not able to ping local addresses. Is there something else in the firewall?
It may be a NAT issue depending on how the rule is configured. Having a src-nat rule that only has one match defined (outbound WAN interface) should allow the traffic between the VPN Pool IPs and the LAN subnet. I hope that helps.
Very good my Friend! Tnks !!!
saved my day
Hi,
it’s an old post, so, please accept my humble apologies for bothering you.
I am using a pppoe connection to connect to my ISP from my router and I would like to set up a L2TP-IPsec server too on the same router. The client is an old laptop. I watched many tutorials (especially on Youtube), but no one helped me. I feel that something is uncomplete. Maybe I should declare in GUI (the CLI’s commands are awful) in IP -> Firewall -> Filter notes -> add new… IN interface pppoe-out/dynamic (instead WAN/ether1) ?
Off-topic:
I remember my old Cisco router’s config – I used it to forward OpenVPN incoming connections (on a non-standard 7620 port) to other (non-Cisco) router behind…
Without these rules, I couldn’t connect…
!
interface Dialer0
…
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
…
ip route 0.0.0.0 0.0.0.0 10.0.0.1 # ISP’s gateway’s IP
!
…
ip nat inside source static udp 10.10.10.10 1194 interface Dialer0 7620
…
access-list 103 permit udp any any eq 7620
Thank you very much.
You sir, are a life saver. Works as charm. Thank you!
Hello, I’m having a problem!… I have an RB201, I’m able to connect to a VPN, but the speed is at low company, it didn’t start to grow at 1 MB, I changed an MTU to 1300 and now it reaches 3 MB and note that my CPU when I copy the file goes to 90%, and it doesn’t go beyond 3 MB, what am I doing wrong? or is this RB that does not support?… From now on