How to permit l2tp ipsec vpn through Mikrotik firewall

Because it is important to harden your Mikrotik router against attacks from the internet, I will share with us on how to permit l2tp ipsec vpn through a hardened Mikrotik router

Firewall filter rules are recommended on your Mikrotik routers to stop external aggressors from compromising your network assets and resources. The easiest and yet most effective way of doing this is to deny access from the internet to the router on all ports. However, this can deny all connections to the router, including l2tp ipsec vpn. If you are presently experiencing this challange, this post will show you all you need to permit l2tp ipsec vpn through your Mikrotik router.

If you have some source IP addresses that you want to allow access to the router for remote administration, you can put them in a source address list and permit that address-list through the firewall deny rule.

Deny access from the internet to the router

The codes below will allow an administrator to deny access from the internet to the router while permitting access for hosts in the subnet listed in the source-address list

/Ip firewall address-list  
add list=allowed_ips address=41.20.31.0/24 

/Ip firewall filter  
chain=input action=drop in-interface=ether1 src-address-list=!allowed_ips 

L2tp with Ipsec is a form of remote access vpn that can be configured on a Mikrotik router to allow an administrator remotely connect to an office or a home network from any location around the world. Layer 2 tunneling protocol (l2tp) makes use of udp port 1701 while ipsec makes use of udp 500. With the firewall filter rule above, vpn access to the network through this router, except permitted, will be denied.

Permit l2tp ipsec vpn through firewall

For l2tp vpn users to successfully connect through this router, we need to permit l2tp ipsec vpn through the filter rule configured above. The commands below will allow us accomplish that. Click here to learn how to configure Mikrotik l2tp vpn with ipsec.

/ip firewall filter
add chain=input action=accept protocol=udp in-interface=ether1 
dst-port=500,1701,4500

After the commands have been entered, drag the permit rule above the deny rule created in step one. See image below for how rules are placed.

With the commands above, l2tp vpn connections to the router will be established

If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscibe to my YouTube channel, like my Facebook page and follow me on Twitter.