@kogan 

1.3.6 showed up in controller as RC once i applied 1.3.5

  @GRL 

My MTU is the default setting of 1500, but they are something with ER8411 and ER605, I can connect to Mikrotik router with L2TP but not to ER605v2 I don't use L2TP so no problem but annoying not knowing why :-) I see there is a difference in the L2TP settings, when I check the MTU on the L2TP interface it is MTU of 1400 on the interface that is connected to Mikrotik, The connection to ER650 is 1380. so there is a difference. MTU of 1380 works on ER707-m2 and ER706W but not from ER8411 and ER605

This is L2TP on client pc to a ER605v2 router

And this is to a Mikrotik router

It is probably the small difference in MTU size that makes it impossible to log in to the ER605 L2TP Server.

  @MR.S 

Thanks, that is interesting!

I havent got around to doing the same test on my spare 605 here, i can try is both as front end to my modem, and behind the ER8411 and see what happens with different MTU combinations

  @MR.S 

Do you get the same effect as i was - VPN connects, devices pingable, but zero TCP/UDP traffic to and from them?

  @GRL 

no, I can't log in to the L2TP Server, it just says connecting without anything else happening

 Overall, although I identified the MTU being the issue on my setup, it leaves me with a conundrum.  At 1500 (default) my VPNs work, but due to packet fragmentation RDP to a server i use all the time has a50/50 chance of not working - I am going to have to experiment in finding a middle ground value that keeps RDP working and doesnt break VPNs.  

sigh

  @MR.S 

I will see how my 605 behaves today and let you know!

  @GRL 

  @MR.S 

WAN MTU of 1400 seems to be the middle ground for me - I can connect to Omada and Draytek gateway VPNs properly with traffic passing, and RDP isnt borked

What happens if you change the WAN MTU of your ER605, can your PCs connect to its VPN then ?

I *think* i will have to test my 605 in standalone mode - which is fine - i have some VPNs hosted on another one on a public IP i have on a controller so I can adjust wan MTU both ends to see what happens, but that doesnt mean the actual VPN tunnel MTU will be adjusted, that obviously is hard-coded in firmware and may be the problem with all of this as you identified with your Microtik

EDIT: I should add - since this is important

Prior to getting the ER8411 as my home testing router, i was using a 605 v2 - which at that point was running firmware 2.3.0 - i had WAN MTU set on it to 1352 (the true real value without fragmentation for my ISP) and i had zero issues with VPNs It will be interesting to see what the difference is now with it on 2.3.1 - and i can roll it back and do A/B testing

  @GRL 

I did some more testing here too. :-)

It is probably the MTU of 1380 that is the problem with L2TP to an ER605v2, I did a test against two different Unifi routers, they gave an MTU of 1400 and worked between all the Omada routers.

This is L2TP to a Unifi router, Same MTU as Mikrotik