Can't route from LAN to L2TP client.

ruffle

I've managed to setup a L2TP VPN Server on PFsense (2.6-0-RELEASE) and clients (IOT type devices using LTE) connect but can't get traffic to route to these L2TP clients from my LAN.

On my PFSense box I can see the route for the L2TP clients with netstat -rn (10.0.1.120 is an L2TP client and 10.0.1.254 is the Server IP set in the L2TP configuration):

Destination        Gateway            Flags     Netif Expire
10.0.1.120         link#10            UH       l2tps1
10.0.1.254         link#10            UHS         lo0

and can ping this client (10.0.1.120) from PFSense and the L2TP client can ping PFSense (10.0.1.254).

However I can't ping 10.0.1.120 (the L2TP client) from my LAN (192.168.1.0/24) :( I can ping 10.0.1.254 (PFSense L2TP server IP) from my LAN.

On PFSense; running tcpdump -i igb0 host 10.0.1.120 (igb0 is my LAN interface) I get

listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:58:53.033397 IP 192.168.1.1 > 10.0.1.120: ICMP echo request, id 32618, seq 1, length 64
16:58:54.034188 IP 192.168.1.1 > 10.0.1.120: ICMP echo request, id 32618, seq 2, length 64

Requests for 10.0.1.120 being received but no replies.

Running tcpdump -i l2tps1 host 10.0.1.120 I can see what looks like keepalive traffic but no ICMP traffic of any kind when pinging from my LAN. If I ping 10.0.1.120 from PFSense while running this tcpdump I can see the echo requests and replies:

17:01:28.079163 IP 10.0.1.254 > 10.0.1.120: ICMP echo request, id 35686, seq 0, length 64
17:01:28.144504 IP 10.0.1.120 > 10.0.1.254: ICMP echo reply, id 35686, seq 0, length 64
17:01:29.092519 IP 10.0.1.254 > 10.0.1.120: ICMP echo request, id 35686, seq 1, length 64
17:01:29.165130 IP 10.0.1.120 > 10.0.1.254: ICMP echo reply, id 35686, seq 1, length 64

I've added firewall rules on my LAN to permit traffic from my LAN to L2TP clients and I'm not seeing any firewall hits for l2tps1 or 10.0.1.120 (using grep on /var/log/filter.log).

I've also set Outbound NAT to Hybrid and tried manually adding a rule but that shouldn't be needed with Hybrid NAT.

Can anyone suggest why traffic is making it's way from my LAN onto my PFSense box but not getting routed out of the L2TP connection?

Thanks.

stephenw10

Check the state table when you try to ping 10.0.1.120 from a LAN client. Where do you see states being opened?

Try to ping 10.0.1.120 from pfSense but use the LAN IP as source.

Steve

ruffle

Thanks for the pointers. I maybe should have said in my OP that I'm using CARP with the L2TP server is running on the physical WAN address (XXX.XXX.128.93) as you can't setup the L2TP server on the CARP WAN IP (a topic for a different post). Don't know if that makes any difference though.

Anyway, Yes using ping on PFSense both

ping -S 192.168.1.254 10.0.1.120
and
ping -S 192.168.1.247 10.0.1.120

work (.254 is the CARP IP on my LAN and .247 the physical IP for my primary PFSense box that has the L2TP server running).

Using the GUI PFtop to look at the states something doesn't seem right as when I start a ping on the L2TP client from the LAN:

pfTop: Up State 1-3/3 (1638), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP    
 PKTS    BYTES
udp       In  10.0.1.120:1701               10.0.1.254:1701                NO_TRAFFIC:SINGLE       04:14:19  00:00:30     7517   823076
icmp      In  192.168.1.1:25024             10.0.1.120:25024                        0:0            00:00:32  00:00:10       32     2688
icmp      Out XXX.XXX.128.92:13859           10.0.1.120:13859                        0:0            00:00:32  00:00:10       32     2688

This is running PFTop with the filter "host 10.0.1.120". XXX.XXX.128.92 is the WAN CARP IP. Why on earth is it routing there when there's a specific route in the routing table for 10.0.1.120 via l2tps1 ??

10.0.1.120         link#10            UH       l2tps1
10.0.1.254         link#10            UHS         lo0

This doesn't make sense. Shouldn't the routing use the most specific route? The routing table does not have any other entries for the 10.0.1.0/24 subnet anyway so that can't be the problem.

Why is PFSense trying to send LAN traffic out of my CARP WAN IP instead of down the L2TP VPN but traffic originated on PFSense itself does route correctly.

All help and pointers most gratefully recieved.

ruffle

Hmmm... I've fixed it but not sure why the fix works.

In my LAN firewall rules I had an entry to pass all traffic from the LAN to the destination "L2TP clients" (this was selected from the pulldown on the Destination box).

Changing the destination to 10.0.1.0/24 and Voila! the routing works.

I guess "L2TP clients" is automatically generated by PFSense as it's not in my Aliases and I can't generate an alias with a space in the name anyway... and quite why it ended up routing LAN->L2TP traffic out of the WAN is also a mystery.

Is this a bug?

stephenw10

Ah, so it was hitting some policy routing when that rule didn't match?

Hmm, I'm not sure I've ever used that alias. And yes it does feel like a bug. Testing....

stephenw10

https://redmine.pfsense.org/issues/13450

ruffle

@stephenw10 Nice to find out it wasn't just me going bonkers. Thanks for the help, triage and bug report.