PPTP/L2TP on interfaces
-
Hi,
I know this topic was already discussed a couple of times, but I was hoping that the 2.0 release will finally make it happen.
Anyway, in some countries ISPs offer an internet setup, which pfsense is not build up for. It goes like this:A computer(pfsense in this case) takes an IP from the modem via DHCP. This IP is from private network (i.e. 172.x.x.x), then on top of it the "dialer" brings up the PPTP/L2TP interface and gets the public IP.
Now, basically, with the 1.2.3 release I was able to get it working. This is how I did it:
1. Assuming WAN is the interface to connect to the internet - set it to DHCP, write down the IP, netmask and gateway that came from the modem.
2. On some other PC do a nslookup for the ISP's PPTP server name, which is supposed to be a pool of IPs. Choose one. Write it down.
3. Set the WAN interface to PPTP and besides the user/pass, in the local IP address type the IP/netmask from the DHCP we got earlier. In the remote IP address type the PPTP server of choice from step 2.
4. Set up a static route:
interface: WAN
network: PTPP server from step 2 (/32)
gateway: the one that we got from DHCP.That's it. But there's a problem with such setup: if the ISP decides to change the PPTP server or DHCP pool of modems - we have to manually change these settings again.
Now, since these settings are already possible via the WebGUI, I was hoping it can be implemented in a more native way. One of the important things here is being able to type in a "remote IP address" the hostname and not the IP. The other one of course - DHCP/static route.Another thing is that it would be great if you could implement the same thing for L2TP. It seems that (at least here in Israel) we're moving in this direction and it's not possible to get a line above 10Mb without L2TP.
By the way, all of these things are already implemented in m0n0wall-mod distro, so maybe it will be possible to port it to pfsense.
I know this setup is problematic not only in Israel, as I've seen similar posts from other countries in Europe, Russia(which is where the author of m0n0wall-mod is from) and Australia.
-
This has been brought up before but I'm not sure if anyone has worked on it. There is someone working on the PPP/PPPoE/PPTP code right now, but I don't know that this has been considered. You might want to open up a feature request ticket at http://redmine.pfsense.org with details of how your ISP requires this to work.
-
I'll investigate what's involved in making this work.
Gabriel -
Great, thanks a lot!
-
I was wondering if there are any news on that?
Also, I opened a feature request: http://redmine.pfsense.org/issues/624 -
https://rcs.pfsense.org/projects/pfsense/repos/gnhb-clone/commits/3a906378cb8094c4fcf1c6ad7421199670ad8e70
-
ok, first - thank you very much!
second - I'm not sure about what to do with that. As I understand, it's still in clone repositories, because I don't see the "ppps" tab in the "interfaces" page yet (I downloaded the last snapshot today).
When will it be in the snapshot? -
You can't really do anything with it easily. I just posted that to show you that it was getting in there. This code will be in the snapshots soon. I'll try to remember to post back here when it gets in.
If you PM me your email address I can give you some advanced testing files, but you have to promise to post your results and feedback back here. :)
GB
-
As I try to refine this solution, it occurs to me that it's not possible to do a DNS lookup without some existing link to the internet, so how exactly does one resolve the pptp server hostname?
I can understand that DHCP returns a local IP, and a router/gateway IP which are for the modem itself, but if the modem is not connected to the ISP somehow already, this situation will not be possible.
Please provide more detailed information.
Thanks,
GB
-
Unfortunately, I don't really know about what's going on behind the scene, but I believe that the dns lookup is done through the local gateway. This scenario comes native in all the cheap routers sold here, so I guess that's the way it's done.
-
Okay. I get it now. I looked up with Google!
You have a cable modem right?with HOT right?
GB
-
that's right:)
was i right in my assumptions?
-
Hi,
Thank you for working on this option.
I tried to test it by setting the physical interface as opt1 (dhcp ) and assigning the l2tp to wan.
Tried also by directly setting wan as l2tp and in the mlppp tab setting its physical interface. But i don't see it trying to connect (nothing in the system log and ppp log + wan is down).Am i doing something wrong here ?
Is there a way to see a more verbose log of the pptp/l2tp connection ?Thanks !
-
Some code that does this is currently in snapshots from June 15th or later, but it's commented out. You must uncomment it in /etc/inc/interfaces.inc like this (code below), and you must have a separate interface defined (like OPT1) that is set to enable DHCP on the same physical interface that the PPtP link is using.
The PPtP link won't come up at boot time. You'll have to start it manually from Status->Interfaces page. This will hopefully be less manual in the future.GB
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 84e1376..8bce426 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -1062,13 +1062,13 @@ function interface_ppps_configure($interface) { /* XXX: This needs to go away soon! [It's commented out!] */ /* Configure the gateway (remote IP ) */ if (!$g['booting'] && !is_ipaddr($gateways[$pid]) && is_hostname($gateways[$pid])) { - /* XXX: Fix later + /* XXX: Fix later */ $gateways[$pid] = gethostbyname($gateways[$pid]); if(!is_ipaddr($gateways[$pid])) { log_error("Could not get a valid Gateway IP from {$port} via DNS in interfaces_ppps_configure."); return 0; } - */ + } if(!is_ipaddr($gateways[$pid])){ log_error("Could not get a PPtP/L2tP Remote IP address from {$dhcp_gateway} for {$gway} in interfaces_ppps_configure."); -
Hi,
finally got around to test it.In my testing environment I only have WAN and Wi-Fi for LAN, so I set WAN to DHCP, created another interface (OPT1) on the PPPs tab and configured it to PPTP. I also uncommented the code you mentioned, but as Micky said previously - nothing happens.
I see the "connect" button on the "interfaces" status, and when pressed - nothing happens, no logged events, nothing.
Am I doing something wrong?
-
I've managed to get the PPTP to dial up, but the no traffic outside.
I think the problem is the gateway, in the gateway list i can only see the DHCP gateway thorough which i dialed the VPN and not the PPTPs.And in PPP log:
Aug 3 20:07:29 ppp: [wan] IFACE: Up event
Aug 3 20:07:29 ppp: [wan] IFACE: Add route 0.0.0.0/0 212.25.114.90 failed: File exists
Aug 3 20:07:29 ppp: [wan] 84.110.xxx.xxx -> 212.25.114.90
Aug 3 20:07:29 ppp: [wan] IPCP: LayerUp
Aug 3 20:07:29 ppp: [wan] IPCP: state change Ack-Sent –> Opened
Aug 3 20:07:29 ppp: [wan] SECDNS 62.219.186.7
Aug 3 20:07:29 ppp: [wan] PRIDNS 192.117.235.235
Aug 3 20:07:29 ppp: [wan] IPADDR 84.110.xxx.xxx
Aug 3 20:07:29 ppp: [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent)To get it to dial i set
OPT1 as DHCP (on physical interface)
WAN as PPTP (on OPT1) – and not on the physical interfaceOn L2TP it somehow tried to dial once but i cant repeat that, there is no button to start the interface in the status_interface.php page,
just "Status down".Edit:
Probably NOT the gateway, if i try to ping something the host name is resolved correctly. -
Try allowing traffic to flow in the firewall rules.
-
Micky,
can you be a bit more specific about how you set up the interfaces?
Did you enable the OPT1? What did enter on WAN interface in the regular "interfaces" page?
What/where did you enter on the new PPPs "interfaces" page?Thanks.
-
Starting with WAN set as DHCP on fxp0
(my wan physical interface is fxp0.)I did the following:
1. added PPTP link in ppps tab on fxp0 (will be changed later)
2. added OPT1 interface in the assign tab.
3. swapped OPT1 to fxp0 and WAN to pptp (assign tab)
4. went to the OPT1 config page, enabled it and set it do DHCP
5. in ppps tab edited the PPTP link and changed it from fxp0 to OPT1 (without this nothing will work)I didn't touch the WAN config page, it is automatically set to PPTP with the username and password.
And i'm dialing the PPTP server by IP ( i dont know the pptp hostname, only the l2tp [my isp: 014])I can ping the gateway and the hostnames are resolved correctly but no more then that.
Already tried to add Allow rules (any protocol) on all interfaces.
The weird part if i trace route something the first ip is 10.xxx.xxx.xxx (trace & ping done from console)
and i shouldn't have anything of this type (my lan is 192.168.xxx.xxx, OPT1 is 172.28.xxx.xxx and WAN (pptp) is 84.xxx.xxx.xxx).I'll try clean install and L2TP after the file edit bug fixed as VI and I are incompatible. :-\
(oh, and don't restart, the pptp wont connect after restart)
-
And here the l2tp log:
Aug 5 05:57:51 ppp: L2TP: Control connection 0x287d0d08 terminated: 6 (expecting reply; none received) Aug 5 05:56:50 ppp: L2TP: Initiating control connection 0x287d0d08 0.0.0.0 0 <-> 0.0.0.0 1701 Aug 5 05:56:50 ppp: [wan_link0] LCP: LayerStart Aug 5 05:56:50 ppp: [wan_link0] LCP: state change Initial --> Starting Aug 5 05:56:50 ppp: [wan_link0] LCP: Open event Aug 5 05:56:50 ppp: [wan_link0] Link: OPEN event Aug 5 05:56:50 ppp: mpd_wan.conf:35: Incorrect context for: 'set pptp disable windowing' Aug 5 05:56:50 ppp: mpd_wan.conf:34: Incorrect context for: 'set pptp peer 212.25.127.14' Aug 5 05:56:50 ppp: mpd_wan.conf:33: Incorrect context for: 'set pptp self 172.28.142.143' Aug 5 05:56:50 ppp: [wan] Bundle: Interface ng0 created Aug 5 05:56:50 ppp: web: web is not running Aug 5 05:56:50 ppp: process 17453 started, version 5.5 (root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org 17:45 2-Jul-2010) Aug 5 05:56:50 ppp: Aug 5 05:56:50 ppp: Multi-link PPP daemon for FreeBSDas far as i understand the ip addresses are not set correctly.
