To MicroTik or to MikroTik? I can never remember.
A collection of notes on MikroTik configuration & Maintenance.
Upgrade your firmware!
One of my clients had their MikroTik compromised in 2018. MikroTik had published an updated firmware version a few months before that mitigated the "attach vector", but unfortunately the device hadn't been updated in time. The end result? VOIP accounts compromised, about $300 of voice calls charged.
So the lesson learned is: always keep your MikroTik firmware up to date! How? You have two options (using WinFig):
(1) Check for Updates button on the QuickSet page
(2) or System → Packages, "Check for Updates"
MikroTik Dynamic DNS Service
IP → Cloud, and ✓ to enable!
Set up L2TP VPN Server
Before you start, update your firmware.
(1) Add firewall rules:
/ip firewall filter add action=accept chain=input comment="Allow L2PT VPN access" \ dst-port=500,1701,4500 protocol=udp add action=accept chain=input protocol=ipsec-esp add action=accept chain=input protocol=ipsec-ah
Move these rules to the top of your input chain.
(2) Set up an L2TP profile (this is a way of setting defaults for several logins, or "secrets"):
Create a pool of addresses for your clients:
(3) Add logins, or "secrets":
(4) Enable L2TP:
Current RouterOS versions will automatically configure IPSec for you at this point. They will look something like this, you can mess with it but it's easy to mess it up:
(5) Optionally create an L2TP server binding:
(6) Adjust fasttrack
Fasttrack can mess with your L2TP, slowing down connections. To get around this, do:
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec /ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec
Then, in your firewall, find your default fasttrack rule and set