NeuroAgent

Mikrotik L2TP Connection Shows Auth Page: Complete Guide

Resolve Mikrotik L2TP connection issues showing provider authentication page. Complete troubleshooting guide for DHCP, firewall, Deco M5 compatibility, and connection stability.

#connection-stability#dhcp-conflicts#firewall-rules#mikrotik-l2tp-troubleshooting#network-configuration#tp-link-deco#vpn-connection-issues
Question

Mikrotik L2TP connection shows provider authentication page - how to resolve?

  • Mikrotik is connected to the provider via L2TP with connection status ‘R’ in interfaces
  • After reboot, the connection works for a few minutes but then stops loading web pages and periodically displays the provider’s authentication page
  • Provider support claims authentication pages only appear via DHCP and cannot be displayed through L2TP connections, suggesting the issue is on our side
  • The Mikrotik connects to Deco M5 devices operating in access point mode
NeuroAgent

When your Mikrotik shows L2TP connection status ‘R’ but intermittently displays the provider’s authentication page, this typically indicates that while the tunnel is established, the connection isn’t properly routing traffic or is experiencing intermittent failures. The authentication page appearance through L2TP suggests the tunnel is dropping and falling back to direct internet access, triggering the provider’s captive portal system.

Contents

Common Causes and Solutions

The authentication page appearing despite an L2TP connection usually stems from one of several issues:

Tunnel instability: Even with status ‘R’, the tunnel may be dropping packets or experiencing intermittent failures, causing the connection to fall back to the direct path where the provider’s authentication page appears.

Routing misconfiguration: The L2TP tunnel might be established but not properly configured to route all traffic through it.

DHCP interference: As mentioned in the MikroTik forum discussions, when Mikrotik gets a private IP from DHCP instead of using a static configuration, L2TP connections often fail.

DHCP Configuration Issues

One of the most common causes of L2TP authentication issues is DHCP interference. Research shows that when Mikrotik obtains an IP address via DHCP instead of using a static configuration, L2TP connections frequently become unstable or fail completely.

DHCP Pool Configuration

To resolve DHCP conflicts:

  1. Create a dedicated IP pool for VPN clients:

    routeros
    /ip pool add name=vpn-p ranges=192.168.88.100-192.168.88.200

  2. Exclude the VPN pool from your DHCP server:

    routeros
    /ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1
/ip dhcp-server lease add address=192.168.88.100-192.168.88.200 mac-address=00:00:00:00:00:00

  3. Configure L2TP to use the dedicated pool:

    routeros
    /interface l2tp-server server set default-profile=default-encryption
/ppp profile set default-encryption use-encryption=local name=default-encryption
/ppp secret add name=user password=pass profile=default-encryption

Bridge Configuration Issues

The research indicates that improper bridge configuration can interfere with both DHCP and L2TP operations:

routeros
/interface bridge set bridgeName arp=proxy-arp
/ip address set [find interface=ether2] interface=bridgeName

This ensures proper ARP handling and IP address assignment on the bridge interface.

Firewall and Routing Problems

Firewall misconfigurations are another common cause of L2TP authentication issues. The connection might establish but fail to route traffic properly.

Firewall Rules for L2TP

Ensure you have appropriate firewall rules:

routeros
/ip firewall filter
add chain=input protocol=udp dst-port=1701 action=accept comment="Allow L2TP"
add chain=forward protocol=udp action=accept comment="Allow L2TP forwarding"
add chain=forward connection-state=established action=accept comment="Allow established connections"

NAT and Routing Configuration

Check your NAT settings and ensure proper routing:

routeros
/ip firewall nat
add chain=srcnat out-interface=l2tp-out action=masquerade comment="L2TP NAT"

/ip route
add distance=1 gateway=your.l2tp.gateway address=0.0.0.0/0

Deco M5 AP Mode Compatibility

The TP-Link Deco M5 devices operating in access point mode present specific challenges:

Limited Configuration Options

As noted in the TP-Link community discussions, “With the Deco in AP mode you don’t have any configuration options or much of any.” This lack of control can cause DHCP and routing issues.

VLAN Tagging Issues

Deco M5 in AP mode has limitations with VLAN tagging:

  1. Configure Mikrotik to handle VLAN tagging instead of relying on Deco devices
  2. Set up proper DHCP snooping on Mikrotik to prevent conflicts
  3. Consider using a different AP mode or alternative access points if VLAN support is critical

DHCP Assignment Problems

Research shows Mikrotik logging DHCP assigned/deassigned on Deco units every few minutes. To resolve this:

routeros
/ip dhcp-client
set [find default=yes] use-peer-dns=no use-peer-ntp=no add-default-route=no

Connection Stability Solutions

The intermittent nature of your issue (working after reboot, then failing) suggests stability problems.

MTU Configuration

Proper MTU settings are crucial for L2TP/IPSec connections:

routeros
/interface l2tp-server server
set max-mtu=1460 max-mru=1460

/ip firewall mtu
add out-interface=l2tp-out size=1440 action=accept

IPsec Configuration

If using L2TP over IPsec, ensure proper configuration:

routeros
/ip ipsec
set proposal default enc-algorithms=aes-256-cbc auth-algorithms=sha256 hash-algorithms=sha256 dh-group=modp2048

/ip ipsec peer
set [find default=yes] exchange-mode=main

Connection Timeout Settings

Adjust connection timeouts to prevent drops:

routeros
/ppp
set timeout=0
/interface l2tp-client
set add-default-route=yes

Step-by-Step Troubleshooting

Follow this systematic approach to resolve your issue:

1. Verify L2TP Configuration

routeros
/interface l2tp-client print
/interface print
/ppp print

Check that the L2TP interface is properly established and has status ‘R’.

2. Test Connectivity

routeros
/tool ping your.provider.gateway
/tool ping 8.8.8.8 routing-table=l2tp-out

3. Monitor Logs

routeros
/log print follow

Watch for authentication failures, DHCP conflicts, or connection drops.

4. Check Route Table

routeros
/ip route print
/ip route print routing-table=l2tp-out

5. Verify NAT Rules

routeros
/ip firewall nat print
/ip firewall connection print

6. Test Without Deco M5

Temporarily bypass the Deco M5 devices to see if the issue persists. If the connection stabilizes, the problem lies with the Deco configuration.

Provider Communication Tips

When discussing this with your provider, keep these points in mind:

Educate your provider: While they claim authentication pages can’t appear through L2TP, the reality is that when L2TP fails or drops, the system falls back to direct internet access, triggering the authentication page.

Request specific logs: Ask your provider to check their logs for authentication attempts from your Mikrotik’s public IP during the times you experience issues.

Coordinate IP assignments: Work with your provider to ensure your static IP is properly configured and not conflicting with DHCP ranges.

Consider alternative authentication: If the provider’s authentication system is incompatible with L2TP, discuss alternative authentication methods or consider using a different VPN protocol like OpenVPN if supported.

The key to resolving this issue lies in ensuring L2TP stability, proper routing configuration, and eliminating DHCP conflicts, particularly when working with limited-configuration devices like the Deco M5 in AP mode.

How to configure Mikrotik L2TP server for remote access?What are the best practices for Mikrotik DHCP pool configuration?How to troubleshoot Mikrotik L2TP connection drops?Can Deco M5 work properly in bridge mode with Mikrotik?How to set up proper firewall rules for L2TP connections on Mikrotik?What MTU settings should I use for Mikrotik L2TP/IPSec connections?
Ask NeuroAgent