MikroTik: L2TP/IPsec VPN Firewall Rules

MikroTik: L2TP/IPsec VPN Firewall Rules

When you configure a L2TP/IPSec VPN on a MikroTik RouterOS device you need to add several IP Firewall (Filter) rules to allow clients to connect from outside the network.

L2TP/IPSec Firewall Rule Set

/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp \
    comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp \
    comment="allow L2TP VPN (1701/udp)"
add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp \
    comment="allow L2TP VPN (4500/udp)"
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp \
    comment="allow L2TP VPN (500/udp)"

These rules must be placed above any deny rules on the “input” chain.

The ruleset can be further condensed by combining the 3 udp rules into one.

/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp \
    comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp \
    comment="allow L2TP VPN (500,4500,1701/udp)"

Add these firewall rules in Winbox

If you want to avoid pasting commands into the cli you can create these firewall rules in winbox, here are some screenshots.

Winbox Screenshots - Click to Enlarge
Winbox Screenshots – Click to Enlarge

Important: Don’t forget to reorder your input rules!

l2tp-ipsec-reorder-firewall-rules-winbox

I hope you found this MikroTik Tutorial about L2TP/IPsec VPN Firewall Rules useful. If it helped you out, please leave a comment below and checkout my other MikroTik Tutorials!

NetScout LinkRunner G2

LinkRunner G2 is the ultimate network cable test tool


CAT5 Cable Tester, Measure Cable Length,
PoE Voltage, Network Connectivity, Switch Port ID
Optional Wireless & Fiber Optics Modules
Check Price on Amazon

7 Replies to “MikroTik: L2TP/IPsec VPN Firewall Rules”

  1. Hi thanks for the tutorial. Is there a way to test why traffic is being dropped even though connection through Port seems to have been established.

  2. Thanks for the guide. I can connect through vpn, but I am not able to ping local addresses. Is there something else in the firewall?

    1. It may be a NAT issue depending on how the rule is configured. Having a src-nat rule that only has one match defined (outbound WAN interface) should allow the traffic between the VPN Pool IPs and the LAN subnet. I hope that helps.

  3. Hi,

    it’s an old post, so, please accept my humble apologies for bothering you.

    I am using a pppoe connection to connect to my ISP from my router and I would like to set up a L2TP-IPsec server too on the same router. The client is an old laptop. I watched many tutorials (especially on Youtube), but no one helped me. I feel that something is uncomplete. Maybe I should declare in GUI (the CLI’s commands are awful) in IP -> Firewall -> Filter notes -> add new… IN interface pppoe-out/dynamic (instead WAN/ether1) ?

    Off-topic:
    I remember my old Cisco router’s config – I used it to forward OpenVPN incoming connections (on a non-standard 7620 port) to other (non-Cisco) router behind…
    Without these rules, I couldn’t connect…
    !
    interface Dialer0

    ppp ipcp dns request accept
    ppp ipcp route default
    ppp ipcp address accept
    !

    ip route 0.0.0.0 0.0.0.0 10.0.0.1 # ISP’s gateway’s IP
    !

    ip nat inside source static udp 10.10.10.10 1194 interface Dialer0 7620

    access-list 103 permit udp any any eq 7620

    Thank you very much.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.