We have several connections from different local networks in different offices to the L2TP Server on Mikrotik, each of which has an address range of 192.168.0.0/24, 192.168.1.0/24, 192.168.5.0/24. There are also networks 192.168.3.0/16 and, for example, 192.168.222.0/16. For L2TP Server, there is also one physical local area network, with different address spaces: for example, the same 192.168.5.0/24. How to configure so that the subnets connected by L2TP VPN "see" each other?

Yes, by the way, client-side networks with an address space of 192.168.0.0/24 can be several.

How best to organize routing? Thanks for any hints.

  • What is a global goal? Using l2tp to merge offices is a bad idea. Look in the direction of IPsec (peer-to-peer) In general, you need to register routes in your case ... - gecube
  • To access some services between offices. Ok, and how, if not L2TP? And how exactly to prescribe mashruty? Any examples? - Alexander B
  • I said IPsec. All instructions are on the Mikrotik website in the wiki - gecube section.

3 answers 3

On each client that connects to the L2TP server, add a route:

/ip route add dst-address=192.168.0.0/16 gateway=дальний конец тунеля L2TP-сервера.

On the L2TP server, you need to statically assign routes to remote networks.

 /ip route add dst-address=192.168.x.0/24 gateway=дальний конец тунеля L2TP-клиента.

    Ideally, it is better to put the networks in order, but if there is no such possibility, then NAT will help specifically netmap.

     /ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \ action=netmap to-addresses=2.2.2.0/24

    This rule will change the destination address in the packet (for example) from 11.11.11.50 to 2.2.2.50

    192.168.0.0/24---Router A --- L2TP or GRE --- Router B --- 192.168.0.0/24

    The task is to connect to the address 192.168.0.10 behind router B from the network behind router A.

    Router B

     /ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \ action=netmap to-addresses=192.168.0.0/24

    Router A

     /ip firewall nat add chain=srcnat out-interface=vpntunnel \ dst-address=11.11.11.0/24 action=src-nat to-address=xxxx /ip route add dst-address=11.11.11.0/24 gateway=yyyy xxxx - Адрес на конце тоннеля роутера A yyyy - Адрес на конце тоннеля роутера B vpntunnel - Имя интерфейса тоннеля (L2TP или GRE)

    I did not check it myself) But in theory it should work.

      You have complete chaos, you will not be able to make "organize routing" with a single l2tp server for routers, there will be complete chaos.

      1. We follow the advice of "Anton Globa" and make a web of two-sided nat, you may get confused already at the planning stage.
      2. We create several l2tp servers and aggregate clients with intersecting pools of addresses on different servers.
      3. We create a single l2tp server with a single unique address space and connect end devices to it (PCs, telephones, servers).
      4. We put the network in order. We take 10.0.0.0/8, cut into pieces, on end devices with 192.168 ... hang the second ip from a unique range of 10 ... and slowly reduce the level of the network that is parallel to L3 to uniqueness.