How to configure a Mikrotik firewall filter for incoming PPTP and L2TP connections?
Good day, gentlemen. Please advise on how to properly configure a filter for incoming PPTP and L2TP connections for the purpose of creating a bridge? After the holidays, failed connection attempts started appearing in the router logs. I have configured firewall rules in the forward chain with drop action for a list of IP addresses, but I see messages in the logs. Does this mean the rule is not working correctly, or is this normal behavior when rules are configured?
Mikrotik Firewall Configuration for Incoming PPTP and L2TP Connections
Configuring Mikrotik firewall rules for incoming PPTP and L2TP connections requires proper configuration of the input, forward chains, and rules for these protocols. Log messages with configured drop rules are normal behavior, as logs record all connection attempts before applying filtering rules.
Contents
- Mikrotik Firewall Basics for VPN
- PPTP Connection Configuration
- L2TP Connection Configuration
- Bridge Configuration for VPN
- Verification and Diagnostics of Rules
- Common Issues and Solutions
Mikrotik Firewall Basics for VPN
The Mikrotik firewall uses chains to process traffic. For VPN connections, three chains are particularly important:
- input - processes incoming packets destined for the router itself
- forward - processes packets passing through the router between interfaces
- output - processes outgoing packets from the router itself
For PPTP and L2TP connections, you need to provide access to specific ports and protocols. PPTP uses port 1723 and the GRE (Generic Routing Encapsulation) protocol, while L2TP uses UDP port 1701.
Important: When configuring rules for VPN, ensure they have higher priority (lower number) than drop rules.
PPTP Connection Configuration
For proper PPTP VPN operation, you need to add the following rules:
# Allow PPTP traffic in input chain
/ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment="Allow PPTP control connection"
/ip firewall filter add chain=input protocol=gre action=accept comment="Allow PPTP GRE tunnel"
# Allow PPTP traffic in forward chain for bridge
/ip firewall filter add chain=forward protocol=tcp dst-port=1723 action=accept comment="Allow PPTP forward"
/ip firewall filter add chain=forward protocol=gre action=accept comment="Allow PPTP GRE forward"
To create a bridge, ensure that the interfaces between which traffic should pass are added to the bridge:
/interface bridge add name=vpn-bridge /interface bridge port add bridge=vpn-bridge interface=ether1 add bridge=vpn-bridge interface=ether2
L2TP Connection Configuration
L2TP requires more complex configuration as it works over UDP and is often used with IPsec:
# Allow L2TP traffic in input chain
/ip firewall filter add chain=input protocol=udp dst-port=1701 action=accept comment="Allow L2TP"
# If using IPsec, add rules for ESP and AH
/ip firewall filter add chain=input protocol=esp action=accept comment="Allow IPsec ESP"
/ip firewall filter add chain=input protocol=ah action=accept comment="Allow IPsec AH"
# Allow L2TP traffic in forward chain
/ip firewall filter add chain=forward protocol=udp dst-port=1701 action=accept comment="Allow L2TP forward"
/ip firewall filter add chain=forward protocol=esp action=accept comment="Allow IPsec ESP forward"
/ip firewall filter add chain=forward protocol=ah action=accept comment="Allow IPsec AH forward"
For L2TP with IPsec, you also need to configure IPsec policies:
/ip ipsec policy
add dst-address=0.0.0.0/0 protocol=esp action=accept tunnel=yes
Bridge Configuration for VPN
When setting up a bridge for VPN connections, perform the following steps:
- Create a bridge:
/interface bridge add name=vpn-bridge
- Add interfaces to the bridge:
/interface bridge port add bridge=vpn-bridge interface=your_interface1 /interface bridge port add bridge=vpn-bridge interface=your_interface2
- Configure NAT (if needed):
/ip firewall nat add chain=srcnat out-interface=your_outgoing_interface action=masquerade
- Check bridge configuration:
/interface bridge print
/interface bridge port print
Verification and Diagnostics of Rules
To verify that rules are working properly, use the following commands:
# View firewall rules
/ip firewall filter print
# View firewall logs
/log print
# Check connection status
/ppp active print
/l2tp connection print
To analyze specific connections, use:
# Check active PPTP sessions
/ppp active print
# Check firewall statistics
/ip firewall print stats
Common Issues and Solutions
Log messages with configured drop rules
Log messages about failed connection attempts are normal behavior. Mikrotik logs record all incoming connections before applying firewall rules. The drop rules work correctly; you’re just seeing logs before the rules take effect.
To verify this:
- Check counters on rules:
/ip firewall filter print count
- If the counter on drop rules is increasing, the rules are working.
GRE issue for PPTP
PPTP often fails due to GRE protocol blocking. Ensure that the GRE rule is present and has the correct priority.
MTU issue for VPN
VPN tunnels may have MTU limitations. The optimal value for PPTP is usually 1400-1500:
/interface pptp-server server set default-mtu=1400
NAT issue for VPN
If clients receive IP addresses but cannot access the internet, check NAT settings:
/ip firewall nat print
Ensure that traffic from VPN clients is properly masqueraded.
Conclusion
Proper Mikrotik firewall configuration for PPTP and L2TP connections requires attention to several key aspects:
- Always add rules for traffic management in input and forward chains
- For PPTP, access to port 1723 (TCP) and the GRE protocol is required
- For L2TP, access to UDP port 1701 is required, as well as ESP and AH when using IPsec
- Log messages with configured drop rules are normal behavior
- When setting up a bridge, ensure all necessary interfaces are added to the bridge
- Regularly check rule counters and status of active connections
For diagnostics, use log viewing and firewall statistics commands. If issues persist, check NAT configuration, MTU values, and VPN service status on the router.