Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PPTP/L2TP on interfaces

    2.0-RC Snapshot Feedback and Problems - RETIRED
    16
    150
    88.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ozzik
      last edited by

      Hi,

      I know this topic was already discussed a couple of times, but I was hoping that the 2.0 release will finally make it happen.
      Anyway, in some countries ISPs offer an internet setup, which pfsense is not build up for. It goes like this:

      A computer(pfsense in this case) takes an IP from the modem via DHCP. This IP is from private network (i.e. 172.x.x.x), then on top of it the "dialer" brings up the PPTP/L2TP interface and gets the public IP.

      Now, basically, with the 1.2.3 release I was able to get it working. This is how I did it:
      1. Assuming WAN is the interface to connect to the internet - set it to DHCP, write down the IP, netmask and gateway that came from the modem.
      2. On some other PC do a nslookup for the ISP's PPTP server name, which is supposed to be a pool of IPs. Choose one. Write it down.
      3. Set the WAN interface to PPTP and besides the user/pass, in the local IP address type the IP/netmask from the DHCP we got earlier. In the remote IP address type the PPTP server of choice from step 2.
      4. Set up a static route:
      interface: WAN
      network: PTPP server from step 2 (/32)
      gateway: the one that we got from DHCP.

      That's it. But there's a problem with such setup: if the ISP decides to change the PPTP server or DHCP pool of modems - we have to manually change these settings again.
      Now, since these settings are already possible via the WebGUI, I was hoping it can be implemented in a more native way. One of the important things here is being able to type in a "remote IP address" the hostname and not the IP. The other one of course - DHCP/static route.

      Another thing is that it would be great if you could implement the same thing for L2TP. It seems that (at least here in Israel) we're moving in this direction and it's not possible to get a line above 10Mb without L2TP.

      By the way, all of these things are already implemented in m0n0wall-mod distro, so maybe it will be possible to port it to pfsense.

      I know this setup is problematic not only in Israel, as I've seen similar posts from other countries in Europe, Russia(which is where the author of m0n0wall-mod is from) and Australia.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        This has been brought up before but I'm not sure if anyone has worked on it. There is someone working on the PPP/PPPoE/PPTP code right now, but I don't know that this has been considered. You might want to open up a feature request ticket at http://redmine.pfsense.org with details of how your ISP requires this to work.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          gnhb
          last edited by

          I'll investigate what's involved in making this work.
          Gabriel

          1 Reply Last reply Reply Quote 0
          • O
            Ozzik
            last edited by

            Great, thanks a lot!

            1 Reply Last reply Reply Quote 0
            • O
              Ozzik
              last edited by

              I was wondering if there are any news on that?
              Also, I opened a feature request: http://redmine.pfsense.org/issues/624

              1 Reply Last reply Reply Quote 0
              • G
                gnhb
                last edited by

                https://rcs.pfsense.org/projects/pfsense/repos/gnhb-clone/commits/3a906378cb8094c4fcf1c6ad7421199670ad8e70

                1 Reply Last reply Reply Quote 0
                • O
                  Ozzik
                  last edited by

                  ok, first - thank you very much!
                  second - I'm not sure about what to do with that. As I understand, it's still in clone repositories, because I don't see the "ppps" tab in the "interfaces" page yet (I downloaded the last snapshot today).
                  When will it be in the snapshot?

                  1 Reply Last reply Reply Quote 0
                  • G
                    gnhb
                    last edited by

                    You can't really do anything with it easily. I just posted that to show you that it was getting in there. This code will be in the snapshots soon. I'll try to remember to post back here when it gets in.

                    If you PM me your email address I can give you some advanced testing files, but you have to promise to post your results and feedback back here. :)

                    GB

                    1 Reply Last reply Reply Quote 0
                    • G
                      gnhb
                      last edited by

                      As I try to refine this solution, it occurs to me that it's not possible to do a DNS lookup without some existing link to the internet, so how exactly does one resolve the pptp server hostname?

                      I can understand that DHCP returns a local IP, and a router/gateway IP which are for the modem itself, but if the modem is not connected to the ISP somehow already, this situation will not be possible.

                      Please provide more detailed information.

                      Thanks,

                      GB

                      1 Reply Last reply Reply Quote 0
                      • O
                        Ozzik
                        last edited by

                        Unfortunately, I don't really know about what's going on behind the scene, but I believe that the dns lookup is done through the local gateway. This scenario comes native in all the cheap routers sold here, so I guess that's the way it's done.

                        1 Reply Last reply Reply Quote 0
                        • G
                          gnhb
                          last edited by

                          Okay. I get it now. I looked up with Google!
                          You have a cable modem right?

                          with HOT right?

                          GB

                          1 Reply Last reply Reply Quote 0
                          • O
                            Ozzik
                            last edited by

                            that's right:)

                            was i right in my assumptions?

                            1 Reply Last reply Reply Quote 0
                            • M
                              Micky
                              last edited by

                              Hi,

                              Thank you for working on this option.

                              I tried to test it by setting the physical interface as opt1 (dhcp ) and assigning the l2tp to wan.
                              Tried also by directly setting wan as l2tp and in the mlppp tab setting its physical interface. But i don't see it trying to connect (nothing in the system log and ppp log + wan is down).

                              Am i doing something wrong here ?
                              Is there a way to see a more verbose log of the pptp/l2tp connection ?

                              Thanks !

                              1 Reply Last reply Reply Quote 0
                              • G
                                gnhb
                                last edited by

                                Some code that does this is currently in snapshots from June 15th or later, but it's commented out. You must uncomment it in /etc/inc/interfaces.inc like this (code below), and you must have a separate interface defined (like OPT1) that is set to enable DHCP on the same physical interface that the PPtP link is using.
                                The PPtP link won't come up at boot time. You'll have to start it manually from Status->Interfaces page. This will hopefully be less manual in the future.

                                GB

                                
                                diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
                                index 84e1376..8bce426 100644
                                --- a/etc/inc/interfaces.inc
                                +++ b/etc/inc/interfaces.inc
                                @@ -1062,13 +1062,13 @@ function interface_ppps_configure($interface) {
                                                                /* XXX: This needs to go away soon! [It's commented out!] */
                                                                /* Configure the gateway (remote IP ) */
                                                                if (!$g['booting'] && !is_ipaddr($gateways[$pid]) && is_hostname($gateways[$pid])) {
                                -                                       /* XXX: Fix later 
                                +                                       /* XXX: Fix later */
                                                                        $gateways[$pid] = gethostbyname($gateways[$pid]);
                                                                        if(!is_ipaddr($gateways[$pid])) {
                                                                                log_error("Could not get a valid Gateway IP from {$port} via DNS in interfaces_ppps_configure.");
                                                                                return 0;
                                                                        }
                                -                                       */
                                +                                       
                                                                }
                                                                if(!is_ipaddr($gateways[$pid])){
                                                                        log_error("Could not get a PPtP/L2tP Remote IP address from {$dhcp_gateway} for {$gway} in interfaces_ppps_configure.");
                                
                                
                                1 Reply Last reply Reply Quote 0
                                • O
                                  Ozzik
                                  last edited by

                                  Hi,
                                  finally got around to test it.

                                  In my testing environment I only have WAN and Wi-Fi for LAN, so I set WAN to DHCP, created another interface (OPT1) on the PPPs tab and configured it to PPTP. I also uncommented the code you mentioned, but as Micky said previously - nothing happens.

                                  I see the "connect" button on the "interfaces" status, and when pressed - nothing happens, no logged events, nothing.

                                  Am I doing something wrong?

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    Micky
                                    last edited by

                                    I've managed to get the PPTP to dial up, but the no traffic outside.
                                    I think the problem is the gateway, in the gateway list i can only see the DHCP gateway thorough which i dialed the VPN and not the PPTPs.

                                    And in PPP log:

                                    Aug 3 20:07:29     ppp: [wan] IFACE: Up event
                                    Aug 3 20:07:29     ppp: [wan] IFACE: Add route 0.0.0.0/0 212.25.114.90 failed: File exists
                                    Aug 3 20:07:29     ppp: [wan] 84.110.xxx.xxx -> 212.25.114.90
                                    Aug 3 20:07:29     ppp: [wan] IPCP: LayerUp
                                    Aug 3 20:07:29     ppp: [wan] IPCP: state change Ack-Sent –> Opened
                                    Aug 3 20:07:29     ppp: [wan] SECDNS 62.219.186.7
                                    Aug 3 20:07:29     ppp: [wan] PRIDNS 192.117.235.235
                                    Aug 3 20:07:29     ppp: [wan] IPADDR 84.110.xxx.xxx
                                    Aug 3 20:07:29     ppp: [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent)

                                    To get it to dial i set
                                    OPT1 as DHCP (on physical interface)
                                    WAN as PPTP (on OPT1)  – and not on the physical interface

                                    On L2TP it somehow tried to dial once but i cant repeat that, there is no button to start the interface in the status_interface.php page,
                                    just "Status down".

                                    Edit:
                                    Probably NOT the gateway, if i try to ping something the host name is resolved correctly.

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eri--
                                      last edited by

                                      Try allowing traffic to flow in the firewall rules.

                                      1 Reply Last reply Reply Quote 0
                                      • O
                                        Ozzik
                                        last edited by

                                        Micky,
                                        can you be a bit more specific about how you set up the interfaces?
                                        Did you enable the OPT1? What did enter on WAN interface in the regular "interfaces" page?
                                        What/where did you enter on the new PPPs "interfaces" page?

                                        Thanks.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          Micky
                                          last edited by

                                          Starting with WAN set as DHCP on fxp0
                                          (my wan physical interface is fxp0.)

                                          I did the following:

                                          1. added PPTP link in ppps tab on fxp0 (will be changed later)
                                          2. added OPT1 interface in the assign tab.
                                          3. swapped OPT1 to fxp0 and WAN to pptp (assign tab)
                                          4. went to the OPT1 config page, enabled it and set it do DHCP
                                          5. in ppps tab edited the PPTP link and changed it from fxp0 to OPT1  (without this nothing will work)

                                          I didn't touch the WAN config page, it is automatically set to PPTP with the username and password.
                                          And i'm dialing the PPTP server by IP ( i dont know the pptp hostname, only the l2tp [my isp: 014])

                                          I can ping the gateway and the hostnames are resolved correctly but no more then that.
                                          Already tried to add Allow rules (any protocol) on all interfaces.
                                          The weird part if i trace route something the first ip is 10.xxx.xxx.xxx (trace & ping done from console)
                                          and i shouldn't have anything of this type (my lan is 192.168.xxx.xxx, OPT1 is 172.28.xxx.xxx and WAN (pptp) is 84.xxx.xxx.xxx).

                                          I'll try clean install and L2TP after the file edit bug fixed as VI and I are incompatible.   :-\

                                          (oh, and don't restart, the pptp wont connect after restart)

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            Micky
                                            last edited by

                                            And here the l2tp log:

                                            
                                            Aug 5 05:57:51 	ppp: L2TP: Control connection 0x287d0d08 terminated: 6 (expecting reply; none received)
                                            Aug 5 05:56:50 	ppp: L2TP: Initiating control connection 0x287d0d08 0.0.0.0 0 <-> 0.0.0.0 1701
                                            Aug 5 05:56:50 	ppp: [wan_link0] LCP: LayerStart
                                            Aug 5 05:56:50 	ppp: [wan_link0] LCP: state change Initial --> Starting
                                            Aug 5 05:56:50 	ppp: [wan_link0] LCP: Open event
                                            Aug 5 05:56:50 	ppp: [wan_link0] Link: OPEN event
                                            Aug 5 05:56:50 	ppp: mpd_wan.conf:35: Incorrect context for: 'set pptp disable windowing'
                                            Aug 5 05:56:50 	ppp: mpd_wan.conf:34: Incorrect context for: 'set pptp peer 212.25.127.14'
                                            Aug 5 05:56:50 	ppp: mpd_wan.conf:33: Incorrect context for: 'set pptp self 172.28.142.143'
                                            Aug 5 05:56:50 	ppp: [wan] Bundle: Interface ng0 created
                                            Aug 5 05:56:50 	ppp: web: web is not running
                                            Aug 5 05:56:50 	ppp: process 17453 started, version 5.5 (root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org 17:45 2-Jul-2010)
                                            Aug 5 05:56:50 	ppp:
                                            Aug 5 05:56:50 	ppp: Multi-link PPP daemon for FreeBSD
                                            
                                            

                                            as far as i understand the ip addresses are not set correctly.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.