Port forwarding and mikrotik L2VPN

 

MikroTik L2TP VPN Overview

L2TP (Layer 2 Tunneling Protocol) is a VPN protocol commonly used to securely tunnel data over the internet. MikroTik, a popular router and network device manufacturer, supports L2TP VPN to allow remote users to connect to a network securely.

L2TP, by itself, does not provide encryption or strong authentication mechanisms. Therefore, L2TP is often paired with IPSec (Internet Protocol Security) to provide security (encryption and authentication). When L2TP is used in combination with IPSec, it becomes L2TP/IPSec, which provides a more secure VPN solution.

Why Use MikroTik L2TP VPN?

MikroTik’s L2TP VPN is useful for:

  • Remote Access: Enabling users to access internal resources (files, printers, etc.) from remote locations securely.
  • Secure Data Transmission: When paired with IPSec, it ensures that the data is encrypted, making it more secure against eavesdropping.
  • Compatibility: L2TP is supported on many operating systems, including Windows, macOS, Linux, iOS, and Android, making it highly compatible.

Key Benefits of MikroTik L2TP VPN:

  1. Security (with IPSec): L2TP itself doesn’t provide encryption, but when used with IPSec, it offers strong security for data in transit.
  2. No Need for Static IP: L2TP can work well in situations where you don’t have a static IP address on the router, as long as you use Dynamic DNS (DDNS) or the public IP of the MikroTik router.
  3. Cross-Platform Support: L2TP is supported by many operating systems, so users can easily connect to the MikroTik router from Windows, macOS, Linux, and mobile devices.
  4. Easy Setup on MikroTik: MikroTik routers come with built-in support for L2TP/IPSec, making it relatively easy to configure and maintain.

How Does MikroTik L2TP Work?

L2TP works by creating a virtual tunnel between the client (remote user) and the MikroTik router. This tunnel encapsulates the data, allowing it to traverse the internet securely. If IPSec is used, it encrypts the data to prevent unauthorized access.

Here’s a simplified overview of how it works:

  1. User Initiates the Connection: The client (remote user) initiates the L2TP connection request to the MikroTik router.
  2. Authentication: The router checks the user’s credentials (username/password) and establishes an authenticated connection.
  3. Data Encapsulation: Data from the client is encapsulated within the L2TP tunnel and transmitted securely across the internet.
  4. Encryption: If IPSec is enabled, the data is encrypted, ensuring its confidentiality during transmission.
  5. Access to Network: Once the connection is established, the remote user can access the network resources (like files, internal web servers, etc.) as if they were on the local network.

MikroTik L2TP Configuration (with IPSec)

Here’s a basic guide to configuring an L2TP VPN server on a MikroTik router with IPSec:

1. Enable L2TP Server on MikroTik:

  1. Log in to MikroTik Router:

    • Use WinBox or WebFig to log into your MikroTik router.

  2. Enable L2TP Server:

    • Go to PPP → Interface → L2TP Server.
    • Enable the L2TP server by clicking Enable.

  3. Configure the L2TP Server:

    • Under L2TP Server settings, ensure the following:
      • Use IPSec: Enable this option to secure the L2TP tunnel with IPSec.
      • IPSec Secret: Set a shared secret key for IPSec. This key will be used for encryption/authentication between the client and the router.

2. Configure PPP (Point-to-Point Protocol) Secrets for Authentication:

  1. Go to PPP → Secrets tab.
  2. Click Add to create a new user profile.
  3. Set up the following parameters:
    • Name: Username for the client.
    • Password: Password for the client.
    • Service: Choose l2tp (this indicates that the service is for L2TP VPN).
    • Profile: Choose default-encryption (or create a custom profile if necessary).
    • Local Address: Choose an internal IP range (e.g., 192.168.100.1/24) for L2TP clients to use.
    • Remote Address: Set a pool of IP addresses that the remote clients will receive once they connect.

3. Configure IPSec (for L2TP/IPSec):

  1. Go to IP → IPSec → Profiles and click Add.
  2. Set the Profile Name and the Encryption Algorithm (usually AES).
  3. Create an IPSec Peer under IPSec Peers, defining the public IP of the client or use 0.0.0.0/0 for any remote client.
  4. Set the Shared Secret (this must match the one configured on the client side).

4. Create Firewall Rules (Optional):

  1. Go to IP → Firewall → Filter Rules.
  2. Add rules to allow L2TP/IPSec traffic:
    • For L2TP: Allow UDP port 1701.
    • For IPSec: Allow UDP ports 500 (ISAKMP) and 4500 (NAT-T).
  3. Ensure that the rules are set to accept traffic from the required IP addresses or networks.

5. Set Up NAT (Network Address Translation):

  1. Go to IP → Firewall → NAT and add a new rule for masquerading.
    • Chain: srcnat
    • Out. Interface: Select the interface connected to the internet (e.g., ether1).
    • Action: Choose masquerade to allow internet access for the VPN clients.

6. Testing the L2TP Connection:

  1. On the client device (Windows, macOS, or mobile):
    • Go to VPN settings and create a new L2TP connection.
    • Enter the public IP address of your MikroTik router, and the username/password created in the PPP Secrets.
    • Enter the IPSec shared secret (if configured) for encryption.
  2. Connect the client to the MikroTik router and verify that the connection is successful.

Security Considerations:

  • Use Strong Passwords: Ensure that both the VPN credentials and IPSec shared secret are strong to prevent unauthorized access.
  • Enable Encryption: Always use IPSec with L2TP to ensure data encryption. Avoid using L2TP without IPSec because it doesn’t provide encryption.
  • Firewall Settings: Properly configure firewall rules to ensure only trusted IPs or networks can access the VPN.
  • Use Strong Encryption: Select strong encryption algorithms for both IPSec and L2TP to maintain data confidentiality.

Conclusion

MikroTik’s L2TP VPN is a reliable and secure method for remote access to your network. When combined with IPSec encryption, it offers a secure and robust solution for protecting your data while allowing remote users to access internal resources. By properly configuring the MikroTik router and client devices, you can ensure a seamless and secure remote connection.

What is Port forwarding and mikrotik

Port Forwarding on MikroTik

Port forwarding is a network configuration technique that directs incoming traffic on a specific port to a particular internal IP address and port on a local network. This is useful for services like web servers, game servers, or remote desktop access, where external users need to access devices or services within a private local network (LAN) from the internet.

In MikroTik routers, port forwarding is typically configured using NAT (Network Address Translation) rules. These rules are added in the MikroTik firewall to control how incoming packets are handled and forwarded to the appropriate devices inside the network.

When to Use Port Forwarding

Port forwarding is required in the following scenarios:

  • Accessing a web server, FTP server, or game server located in your local network from the internet.
  • Using remote desktop applications to access a device in the internal network.
  • Enabling access to specific applications or services (e.g., surveillance cameras, email servers) on the local network from remote locations.
  • Running a VoIP service or similar applications that need to be accessible externally.

How Port Forwarding Works

When an external device (e.g., a remote user) sends a request to your public IP address on a specific port (e.g., HTTP on port 80), the router checks its NAT table for the appropriate forwarding rule. If a matching rule is found, the router will forward that request to the specified internal IP address and port within the local network.

For example:

  • You may have a web server running on an internal computer with IP 192.168.1.100 on port 80 (HTTP).
  • A port forwarding rule is set on the router to forward any external requests on port 80 to this internal IP address.

Setting Up Port Forwarding on MikroTik Router

Follow these steps to configure port forwarding on a MikroTik router using the WinBox interface or WebFig (the web interface).

Step 1: Identify the Port and Service

Determine which service you want to forward and what port it uses. Common services and ports include:

  • HTTP (web servers) – Port 80
  • HTTPS (secure web servers) – Port 443
  • FTP (file transfer) – Port 21
  • SSH (secure shell) – Port 22
  • RDP (Remote Desktop Protocol) – Port 3389
  • Game servers – Specific game ports (varies by game)

Step 2: Create the Port Forwarding Rule in MikroTik

  1. Log into your MikroTik router using WinBox, WebFig, or SSH.

  2. Go to the NAT settings:

    • In WinBox/WebFig, navigate to IP → Firewall → NAT.

  3. Add a new NAT rule:

    • Click on the + button to add a new rule.
    • In the General tab:
      • Chain: Set this to dstnat (destination NAT).
      • Protocol: Choose the protocol (e.g., tcp for web traffic).
      • Dst. Port: Enter the external port that you want to forward (e.g., 80 for HTTP).

  4. Set the action to forward:

    • In the Action tab, choose dst-nat (Destination NAT).
    • To Addresses: Enter the internal IP address of the device you want the port to be forwarded to (e.g., 192.168.1.100).
    • To Ports: Enter the internal port number (often the same as the external port, e.g., 80 for a web server).

  5. Save the rule by clicking OK.

Example: Forward HTTP (Port 80) to a Web Server

  1. You want to forward HTTP traffic (port 80) to a web server with the internal IP address 192.168.1.100 running on port 80.

  2. Configure the following in MikroTik:

    • Chain: dstnat
    • Protocol: tcp
    • Dst. Port: 80
    • To Addresses: 192.168.1.100
    • To Ports: 80

This rule will forward any incoming traffic on port 80 (HTTP) to the internal server at IP 192.168.1.100 on the same port.

Step 3: Ensure Firewall Rules Allow the Connection

Make sure that the firewall on the MikroTik router allows incoming traffic on the forwarded port.

  1. Go to IP → Firewall → Filter Rules.
  2. Ensure there’s a rule allowing incoming traffic on the forwarded port (e.g., port 80 for HTTP).
  3. If necessary, add a rule to allow the traffic from the outside:
    • Chain: input
    • Protocol: tcp
    • Dst. Port: 80
    • Action: accept

Step 4: Test the Port Forwarding

  • External Test: From an external network (e.g., using a mobile device or an external computer), try to access your public IP address followed by the forwarded port. For example:

    • http://<your-public-ip>:80
    • If it’s a web server, it should open the web page hosted on the internal server.

  • Internal Test: You can also test by accessing the internal server from another device on the local network using the local IP address directly.

Advanced Port Forwarding Configuration

  1. Port Forwarding with Specific Source IP: If you only want to allow port forwarding from certain IPs (e.g., a specific external user or trusted network), you can add a condition for the source IP:

    • In the General tab of the NAT rule, set Src. Address to the IP address that should be allowed to initiate the connection.

  2. Multiple Services: If you need to forward multiple ports for different services, you can create multiple NAT rules (one for each port) or use a range of ports.

  3. Port Forwarding for a Range: If you need to forward a range of ports (e.g., for a game server), you can specify a range in the Dst. Port field:

    • Dst. Port: 5000-5050 for a range of ports.

  4. 1:1 NAT (for multiple services on a single IP): If you want to map a set of ports directly to a particular internal server, this can be done using 1:1 NAT, which ensures the public IP is directly mapped to a local IP.

Security Considerations

  • Limit Access: Be cautious when exposing services to the internet, especially those that may be vulnerable (e.g., RDP, SSH). Always use strong passwords, and consider limiting access to known IP addresses where possible.
  • Firewall Configuration: Always ensure your MikroTik firewall is properly configured to only allow necessary traffic.
  • Port Scanning: Be aware that port scanning tools can expose open ports. Only forward ports you really need.

Conclusion

Port forwarding on a MikroTik router is an essential technique to allow external devices to access services inside a private network. It can be used to expose web servers, FTP servers, or other services securely to the internet, but it’s crucial to configure it correctly and ensure that only authorized traffic is allowed.

  • VPN Pool Create
  • Go To PPP And enable PPTP Server & L2TP Server
  • Create Profile
  • Create User & Bind Profile
  • Firewall Then NAT Srcnat Dstaddress
  • VPN Pool IP Range Action Then Massquarde

Client Mikrotik Configuration