/ip firewall address-list add comment="facebook" list="facebook" address=31.13.24.0/21
/ip firewall address-list add comment="facebook" list="facebook" address=31.13.64.0/18
/ip firewall address-list add comment="facebook" list="facebook" address=45.64.40.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=66.220.144.0/20
/ip firewall address-list add comment="facebook" list="facebook" address=69.63.176.0/20
/ip firewall address-list add comment="facebook" list="facebook" address=69.171.224.0/19
/ip firewall address-list add comment="facebook" list="facebook" address=74.119.76.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=103.4.96.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=129.134.0.0/17
/ip firewall address-list add comment="facebook" list="facebook" address=157.240.0.0/17
/ip firewall address-list add comment="facebook" list="facebook" address=173.252.64.0/18
/ip firewall address-list add comment="facebook" list="facebook" address=179.60.192.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=185.60.216.0/22
/ip firewall address-list add comment="facebook" list="facebook" address=204.15.20.0/22

/ipv6 firewall address-list add comment="facebook v6" list="facebookv6" address=2620:0:1c00::/40
/ipv6 firewall address-list add comment="facebook v6" list="facebookv6" address=2a03:2880::/32

/ip   firewall filter add chain=forward src-address=LAN-Address dst-address-list=facebook action=drop
/ipv6 firewall filter add chain=forward src-address=LAN-Address dst-address-list=facebookv6 action=drop

Zdroj: ipinfo.io

1. Interfaces > Add > PPP Client
   1. Name: somepppout
   2. L2 MTU / Max MTU / Max MRU: 1500
   3. Port: usbX
   4. Data channel: 0
   5. Info channel: 1
   6. APN: internet.t-mobile.cz
2. PPP
   1. Phone: *99#
   2. Dial command: ATDT
   3. User: gprs
   4. Password: gprs
   5. User peer DNS: Yes
   6. Add default route: Yes
   7. Allow: PAP only (CHAP, MSCHAP1, MSCHAP2 unticked)

1. PPP > Profile > Add
   1. Name: someprofile
   2. Local address: local IP of the router
   3. Remote address: pool from which the remote clients will get IP addresses
   4. DNS server: optional?
   5. Protocols > Use Encryption: Yes
2. PPP > PPTP Server (button)
   1. Enabled
   2. Default profile: someprofile
3. PPP > Secrets
   1. Name: someusername
   2. Password: somepassword
   3. Service: PPTP
   4. Profile: someprofile
4. In Firewall, allow:
   1. 1752/TCP
   2. 47/IP (GRE)
5. On LAN interface, allow:
   1. ARP: proxy-arp
   2. Note: if bridged, then do this on the bridge instead of LAN interface.

1. Disconnect the bridge between etherX-*-local (Interface properties - remove the Master port).
2. Mark the packets from LAN subnets (e.g. 192.168.10.0/24 a 192.168.20.0/24):

   /ip firewall mangle add action=mark-routing chain=prerouting \
       new-routing-mark=routing_mark_office src-address=192.168.10.0/24
   /ip firewall mangle add action=mark-routing chain=prerouting \
       new-routing-mark=routing_mark_guests src-address=192.168.20.0/24 

3. Set up routing for packets marked with mangle:

   /ip route add gateway=ether1-wan1 routing-mark=routing_mark_office
   /ip route add gateway=ether2-wan2 routing-mark=routing_mark_guests 

   Note: Gateway can also be a PPPoE connection (in case of DSL).

4. Set up masquerade for the second wan interface (assuming that masquerade was set up only for the ether1-wan1).

/ipv6 firewall filter
add action=accept comment="Allow ESTABLISHED (FORWARD)" chain=forward connection-state=established disabled=no 
add action=accept comment="Allow RELATED (FORWARD)" chain=forward connection-state=related disabled=no
add action=accept comment="Allow ICMPv6 (FORWARD)" chain=forward disabled=no in-interface=pppoe-out1 protocol=icmpv6 
add action=drop comment="Drop everything else (FORWARD)" chain=forward disabled=no in-interface=pppoe-out1 
add action=accept comment="Allow ESTABLISHED (INPUT)" chain=input connection-state=established disabled=no 
add action=accept comment="Allow RELATED (INPUT)" chain=input connection-state=related disabled=no 
add action=accept comment="Allow ICMPv6 (INPUT)" chain=input disabled=no in-interface=pppoe-out1 protocol=icmpv6 
add action=accept comment="Allow DHCPv6 (INPUT)" chain=input disabled=no in-interface=pppoe-out1 protocol=udp port=546
add action=drop comment="Drop everything else (INPUT)" chain=input disabled=no in-interface=pppoe-out1

1) Povolit IPsec na firewallu

/ip firewall filter
add chain=input protocol=udp in-interface=ether1 dst-port=500,1701,4500 action=accept
add chain=input protocol=ipsec-esp in-interface=ether1 action=accept
add chain=input protocol=ipsec-ah  in-interface=ether1 action=accept

2) Vytvořit IP Pool - ze stejného rozsahu jako LAN (tj. třeba zkrátit ten stávající).

3) Vytvořit PPP profil

/ppp profiles
add name=my-l2tp-profile local-address=192.168.88.254 remote-address=vpnpool dns-server=192.168.88.1 change-tcp-mss=yes interface-list=LAN

local-address = IP adresa routeru, kterou bude mít v rámci VPN, musí být mimo pool! (tj. pokud je VPN pool třeba 100-200, tak router bude mít třeba 201)
remote-address = Pool vytvořený v kroku 2
dns-server = buď adresa routeru nebo jiného DNS serveru ve vzdálené síti interface-list=LAN = po vytvoření spojení se VPN vloží do interface listu LAN (kvůli firewallu)

4) Zapnout L2TP server

/interface l2tp-server server
set enabled=yes default-profile=my-l2tp-profile use-ipsec=yes ipsec-secret=spolecneheslo  authentication=mschap1,mschap2

ipsec-secret = shared secret, společné pro všechny klienty

5) Vytvořit profil pro uživatele (“secret”)

/ppp secret add name=mojekrasnejmeno password=mojekrasneheslo service=l2tp profile=my-l2tp-profile

name = uživatelské jméno, které uživatel bude zadávat při konfiguraci VPN
password = uživatelské heslo
profile = profil L2TP, který jsme vytvořili v kroku 3

6) Zapnout arp-proxy na bridge (aby router odpovídal klientům na ARP dotazy i skrze tunel)

/interface bridge1 set arp=proxy-arp