MikroTik

In the current stable v7 (7.10) there are the features:

[admin@MikroTik] > /interface/l2tp-server/server/set l2tpv3-
l2tpv3-circuit-id l2tpv3-cookie-length l2tpv3-digest-hash l2tpv3-ether-interface-list

[admin@MikroTik] > /interface/l2tp-ether/set
allow-fast-path connect-to disabled local-address mac-address numbers remote-tunnel-id use-ipsec
circuit-id cookie-length ipsec-secret local-session-id mtu peer-cookie send-cookie use-l2-specific-sublayer
comment digest-hash l2tp-proto-version local-tunnel-id name remote-session-id unmanaged-mode

I looked up information about this on both https://wiki.mikrotik.com/ and https://help.mikrotik.com/ and didn't find any instructions about it.

Any predictions on official documentation on these features and how they differ from basic l2tp?

I Tested this and it works fine, but the issue is that it seems to work better from Mikrotik to Mikrotik.
My test to a cisco 9K failed

I Tested this and it works fine, but the issue is that it seems to work better from Mikrotik to Mikrotik.
My test to a cisco 9K failed

Greetings, could you share the meaning of the parameters, please?

Mikrotik is really failing in Documentation. As far as I see, other brands already established in the market, such as Mikrotik, simply release documentation beforehand, or at least a publication on an official blog, etc.

I have noticed, not just in this case now of L2TPv3, but before this already happened, with LTE, with WifiAC..

Grateful for the attention

I'm interested to know more about this feature too.
Want to know if it can be used to implement what I need: transparent L2 tunnels (MTU>1500 to pass PPPoE mini-jumbo frames in VLANs etc.) that work from remote clients over the Internet, with the clients behind any kind of crappy NAT boxes over which I have no control, but I can fully control the server side on my public IP. Can it be done with L2TPv3 Ethernet over UDP?
If you wonder why. Basically, I'm running a small local WISP and would like to extend my network to places where my radio can't go, but there is FTTH from competitors. They offer high speeds but often crappy CGNAT, I offer nice clean static public IPv4 /32 + IPv6 /56 over dual-stack PPPoE but low speeds, with such L2 tunnels to my infrastructure over their FTTH Internet the customers have the best of both worlds (and I have a chance to survive).

Can it be done with L2TPv3 Ethernet over UDP?

I haven't tried that with L2TPv3, but it does work with traditional L2TP with BCP (that allows to interconnect bridges on the tunnel endpoints, no VLAN filtering supported as the tunnel is added as a bridge port dynamically and there is no way to define its membership in VLANs) and with MLPPP (that allows splitting the payload into transport packets not exceeding the path MTU so that the transport packets do not get fragmented). The name is misleading, it works even on a single link.

Manual has been updated.

The following prerequisites are required to implement L2TPv3:
•You must enable Cisco Express Forwarding before you configure an cross-connect attachment circuit for a customer edge device.
•You must configure a Loopback interface on the router for originating and terminating the L2TPv3 traffic.

@sindy brate

as far as i know WDS is also added automatically and it does support VLAN filtering. correct me if i'm wrong.

i haven't try as yet , does l2tp-ether supports VLAN filtering?

Yes, VLAN filtering supports l2tp-ether, same as other Ethernet.

I'm looking for what kind of L2 tunnel over the Internet would work best:
- need to pass a few VLANs
- need to pass RFC4638 PPPoE inside VLAN, this means L2MTU at least 1526 (MTU 1500 + PPPoE 8 + VLAN 4 + Ethernet 14)
- client is behind any kind of broken NAT (could even be double NAT: CGNAT at the big ISP and another at the local ONT I have no control over)
- need to limit MTU/MRU of UDP packets over the Internet to about 1400 (there might be some brokenness, like no working path MTU discovery),
- traffic needs to be encrypted so the big ISP can't see what's inside (encryption needs to be fast, doesn't have to be very strong)
- need up to 100 Mbps peak speed at the client, up to 1 Gbps peak at the server, about 100 tunnels (not all using full bandwidth at the same time)
- server is on public IP and under my control, is RB5009 good enough (on a stick, using a few VLANs over 10G SFP+) or do I need a CCR?
- clients in price range of RB750Gr3 or perhaps hap ax lite (no need for wifi, but this one seems to have decent CPU speed for the price)

What should work best: L2TPv3-ether, EoIP over WireGuard, or good old L2TP with BCP?
The last one supports no VLANs, but perhaps I could hack around that by using it on a separate ethernet port externally looped back to another one which is part of the HW-offloaded VLAN-filtered bridge?

Yes, VLAN filtering supports l2tp-ether, same as other Ethernet.

It is possible to specify interface-list in L2TP server, and add that interface list as a bridge port, so that the L2TP server adds dynamic bridge ports for each incoming connection. But still can't specify that interface-list in the bridge VLAN table as tagged=... - so the dynamic bridge ports don't work with bridge VLAN filtering to allow specific tagged VLANs. This feature was already requested here over 3 years ago - viewtopic.php?t=159154 - it would be really useful (with static ports it's just an inconvenience, but dynamic ports added by interface-list as in the L2TP-ether server don't work with VLAN filtering).

For L2TP over WG --> viewtopic.php?t=182340
Check out para 10
(10) L2TP thru WIREGUARD for MTU Issues

I Tested this and it works fine, but the issue is that it seems to work better from Mikrotik to Mikrotik.
My test to a cisco 9K failed

Greetings, could you share the meaning of the parameters, please?

Mikrotik is really failing in Documentation. As far as I see, other brands already established in the market, such as Mikrotik, simply release documentation beforehand, or at least a publication on an official blog, etc.

I have noticed, not just in this case now of L2TPv3, but before this already happened, with LTE, with WifiAC..

Grateful for the attention

apologies for the late respond. just have been busy.
so in order to get it to work you have to make it unmanaged. between Mikrotik and Mikrotik.


[admin@MikroTik] > interface/l2tp-ether/print
Flags: X - disabled; D - dynamic; R - running; u - unmanaged
0 Ru name="l2tpv3" mtu=1500 actual-mtu=1500 connect-to=172.18.2.198
mac-address=FE:B7:65:8A:AE:8A use-ipsec=no ipsec-secret=""
allow-fast-path=no l2tp-proto-version=l2tpv3-udp circuit-id="10"
cookie-length=8-bytes digest-hash=none use-l2-specific-sublayer=no
local-address=10.13.55.253 local-tunnel-id=1 local-session-id=10
remote-tunnel-id=10 remote-session-id=1 unmanaged-mode=yes

on the managed tab set the tunnel is and session id. unfortunatly they have to be set they cant be dynamic. your remote and local id have to match especially the tunnel id

the ony way to make it work on with a cisco, is to set the session ID statically. I assume this would the same with other OEM brands too.

l2vpn
xconnect group Mikrotik
p2p cisco
interface GigabitEthernet0/0/1/15.50
neighbor ipv4 10.13.55.253 pw-id 10
pw-class Mikrotik
l2tp static
local cookie size 8 value 0x0 0xffffffff
local session 1
remote cookie size 8 value 0x0 0xffffffff
remote session 1
the only problem I have with the cisco and the Mikrotik is that my end device cant communicate and I am not learning mac

I'm looking for what kind of L2 tunnel over the Internet would work best:
- need to pass a few VLANs
- need to pass RFC4638 PPPoE inside VLAN, this means L2MTU at least 1526 (MTU 1500 + PPPoE 8 + VLAN 4 + Ethernet 14)
- client is behind any kind of broken NAT (could even be double NAT: CGNAT at the big ISP and another at the local ONT I have no control over)
- need to limit MTU/MRU of UDP packets over the Internet to about 1400 (there might be some brokenness, like no working path MTU discovery),
- traffic needs to be encrypted so the big ISP can't see what's inside (encryption needs to be fast, doesn't have to be very strong)
- need up to 100 Mbps peak speed at the client, up to 1 Gbps peak at the server, about 100 tunnels (not all using full bandwidth at the same time)
- server is on public IP and under my control, is RB5009 good enough (on a stick, using a few VLANs over 10G SFP+) or do I need a CCR?
- clients in price range of RB750Gr3 or perhaps hap ax lite (no need for wifi, but this one seems to have decent CPU speed for the price)

What should work best: L2TPv3-ether, EoIP over WireGuard, or good old L2TP with BCP?
The last one supports no VLANs, but perhaps I could hack around that by using it on a separate ethernet port externally looped back to another one which is part of the HW-offloaded VLAN-filtered bridge?

1. the first challenge you have MTU. PPPoE doesnt usally support 1500 or above generally its 1480-1490.. 2. any Tunnel you choose will also put a limit on the MTU. you options will be to fragment traffic as it leave on both ends. 3