PPTP/L2TP on interfaces
-
Ermal,
I looked up this network/ISP configuration online and found a few references. This setup is in Israel and the connection they have works like this: http://www.megavolt.co.il/connecting/ISP/chooseISP.html
(from provided link)
Consumers who want to connect to the internet in Israel must purchase two services, an “infrastructure” service (known in Hebrew as “tashtit”) and an ISP (“internet service provider”) service. Each without the other is of no value. There are currently two infrastructure providers in Israel, Bezeq - the telephone company, and HOT - the cable company. There are a number of internet service providers, with 5 major ISP’s sharing the bulk of the market.
(Bezeq, the teleco, uses PPPoE, but that's not what we're discussing here. This thread is only about users that get internet via Cable.)
Step 1: User selects an ISP, say NetVision, and enters a hostname given by ISP into the "Gateway" field in the L2TP/PPTP setup pages. User also sets up OPT1 as DHCP interface and uses the same physical interface as the L2TP/PPTP connection uses.
Step 2: pfSense box does a DHCP request through the cable box, and this request gets routed by the cable box to the cable company's servers which hand out an IP address to pfSense.
Step 3: Then, pfSense needs to do a DNS query to the servers just received in the DHCP response. It queries for the IP of the hostname entered into the "Gateway" field in Step 1. This IP is then used as the Gateway for the L2TP/PPTP link, connecting the user to their ISP.
Hope this helps understand what is happening with these guys.
GB
-
Well, Adding this
$parent_gw = get_interface_gateway($port); mwexec("route add -host {$gateways[$pid]} {$parent_gw}");Into Interfaces.inc at line 1101 Solved the gateway/"dialing on restart" problems
(the entire block:)/* We bring up the parent interface first because if DHCP is configured on the parent we need to obtain an address first so we can write it in the mpd .conf file for PPTP and L2TP configs */ foreach($ports as $pid => $port){ switch ($ppp['type']) { case "pppoe": /* Bring the parent interface up */ interfaces_bring_up($port); break; case "pptp": case "l2tp": /* configure interface */ if(is_ipaddr($localips[$pid])){ // Manually configure interface IP/subnet pfSense_interface_setaddress($port, "{$localips[$pid]}/{$subnets[$pid]}"); interfaces_bring_up($port); } else if (empty($localips[$pid])) $localips[$pid] = get_interface_ip($port); // try to get the interface IP from the port if(!is_ipaddr($localips[$pid])){ log_error("Could not get a Local IP address for PPTP/L2TP link on {$port} in interfaces_ppps_configure."); return 0; } /* XXX: This needs to go away soon! [It's commented out!] */ /* Configure the gateway (remote IP ) */ if (!$g['booting'] && !is_ipaddr($gateways[$pid]) && is_hostname($gateways[$pid])) { /* XXX: Fix later $gateways[$pid] = gethostbyname($gateways[$pid]); if(!is_ipaddr($gateways[$pid])) { log_error("Could not get a valid Gateway IP from {$port} via DNS in interfaces_ppps_configure."); return 0; } */ } if(!is_ipaddr($gateways[$pid])){ log_error("Could not get a PPTP/L2TP Remote IP address from {$dhcp_gateway} for {$gway} in interfaces_ppps_configure."); return 0; } $parent_gw = get_interface_gateway($port); mwexec("route add -host {$gateways[$pid]} {$parent_gw}"); break; case "ppp": if (!file_exists("{$port}")) { log_error("Device {$port} does not exist. PPP link cannot start without the modem device."); return 0; } break; default: log_error("Unkown {$type} configured as ppp interface."); break; } }I still don't know how to make it dial on boot…..edit: And i still see only one gateway (the dhcp (opt1) ) in Status->Gateways but the routes are correct and in
System->routing there are 2 gatewaysin function interface_bring_down Added:
$int_list = get_configured_interface_list_by_realif(); if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { foreach ($config['ppps']['ppp'] as $pppid => $ppp) { if ($ppp['type'] == 'pptp' || $ppp['type'] == 'l2tp') { $ports = explode(',',$ppp['ports']); foreach($ports as $pid => $port){ if ($port == $interface) { interface_bring_down($int_list[$ppp['if']]); } } } } }Entire part:
function interface_bring_down($interface = "wan", $destroy = false) { global $config, $g; if (!isset($config['interfaces'][$interface])) return; $ifcfg = $config['interfaces'][$interface]; $realif = get_real_interface($interface); $int_list = get_configured_interface_list_by_realif(); if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { foreach ($config['ppps']['ppp'] as $pppid => $ppp) { if ($ppp['type'] == 'pptp' || $ppp['type'] == 'l2tp') { $ports = explode(',',$ppp['ports']); foreach($ports as $pid => $port){ if ($port == $interface) { interface_bring_down($int_list[$ppp['if']]); } } } } } switch ($ifcfg['ipaddr']) { case "ppp": case "pppoe": case "pptp": case "l2tp": if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { foreach ($config['ppps']['ppp'] as $pppid => $ppp) { if ($realif == $ppp['if']) { if (file_exists("{$g['varrun_path']}/{$ifcfg['ipaddr']}_{$interface}.pid")) { killbypid("{$g['varrun_path']}/{$ifcfg['ipaddr']}_{$interface}.pid"); sleep(2); } unlink_if_exists("{$g['varetc_path']}/mpd_{$interface}.conf"); if (isset($ppp['ondemand']) && !$destroy) { interface_configure($interface); } break; } } } break; case "carpdev-dhcp": /* * NB: When carpdev gets enabled it would be better to be handled as all * other interfaces! */And in function interface_dhcp_configure Added at the end:
$int_list = get_configured_interface_list_by_realif(); if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { foreach ($config['ppps']['ppp'] as $pppid => $ppp) { if ($ppp['type'] == 'pptp' || $ppp['type'] == 'l2tp') { $ports = explode(',',$ppp['ports']); foreach($ports as $pid => $port){ if ($port == $interface) { interface_ppps_configure($int_list[$ppp['if']]); } } } } }Entire part:
/* bring wan interface up before starting dhclient */ if($wanif) interfaces_bring_up($wanif); else log_error("Could not bring up {$wanif} interface in interface_dhcp_configure()"); /* fire up dhclient */ mwexec("/sbin/dhclient -c {$g['varetc_path']}/dhclient_{$interface}.conf {$wanif} > {$g['tmp_path']}/{$wanif}_output > {$g['tmp_path']}/{$wanif}_error_output"); $int_list = get_configured_interface_list_by_realif(); if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { foreach ($config['ppps']['ppp'] as $pppid => $ppp) { if ($ppp['type'] == 'pptp' || $ppp['type'] == 'l2tp') { $ports = explode(',',$ppp['ports']); foreach($ports as $pid => $port){ if ($port == $interface) { interface_ppps_configure($int_list[$ppp['if']]); } } } } } return 0; }So now it reconnects on reboot and on physical wan unplug-plug event.
Probably not the correct way to this but it works. -
Hi,
are there any news on this? Are Micky's suggestions implemented?
Unfortunately, it's impossible for me to test it in production, but I'd be happy to try a more stable version of this.Thanks.
-
Micky's suggestions aren't implemented.
I'm sure what he's done works, and there are lots of ways to make this one use case work, but pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way and we haven't sorted that out yet.We're still discussing this issue among the devs and trying to figure out if and how to officially get the functionality into the code base.
See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)
GB
-
pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way
No argument here.
See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)
it seems like this is issue is resolved, isn't it?
Anyway, just wanted to make sure this problem is being worked on and whether I can start testing it.
Thanks. -
pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way
No argument here.
See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)
it seems like this is issue is resolved, isn't it?
Anyway, just wanted to make sure this problem is being worked on and whether I can start testing it.
Thanks.hi all,
is there any news regarding this issue ? -
guys, is there any update on this?
-
I triad again several snaps ago and it was not working. :'(
-
For info in France we have an ISP with same problem :
Numericable with DHCP for classic client.
For Fixed IP, they use a L2TP tunnel on WAN. -
Does the DHCP server give you a public IP address?
GB -
Hi,
so as I understand this whole thing will not make it into the 2.0 release?
Will we have to manually do the changes Micky was doing?
Or is it also obsolete due to some changes in the code?Thanks.
-
Yes default mode is a public ip from DHCP.
And if you want to use the static IP you have to go to L2TP. -
Guldil,
pretty much like us, only it's not very easy to get the ISP give you a DHCP public IP (you have to fight for that). But most businesses only use static IPs so it's irrelevant. We need the PPTP/L2TP badly. -
It's really annoying for us because we have really good transfer :
30Mbps download / 1Mbps Upload and some of us have 100 Mbps download / 5 mbps upload…And the really bad part of this, looks like my current router dont have the CPU to handle the L2TP tunnel at 30Mbps... so i don't use my static ip :(
-
The way it is set at the moment is that every ISP "give" HOT, the cable company a block of IP's.
Hot know what client is connected with what ISP using the cable modem's MAC. using this it assign the client a IP from the ISP's block and do MPLS routing to the ISP's network. this way when the MPLS is done, the client already have the correct IP,DNS and any other settings it need and all it need to do is request them using DHCP.BUT-
If you want a static IP, you cant use MPLS and you need to go back to the old way - L2TP or PPTP. this is the only way the ISP's system can recognize you by the user/pass and "assigne" you the correct static IP.I need a static IP so I need this to work.
At the moment I use another router in the middle that all it's doing is the L2TP connection. -
Hi roi,
I used to have another router(Level One) too in work environment for connecting to PPTP, however it's not very practical since these small $50 pieces of sh#t can't really handle the load of 70-80 users surfing the 3x10Mb lines.
The RRD quality graph would show over a 100ms just pinging the router from pfSense, because it was so overloaded.
And of course, buying an expensive equipment just for dialing - doesn't make sense.By the way, I don't know if any of you know this, but there's a guy named Evgeny, that created a package for doing something very similar but for version 1.2.3: http://ru.doc.pfsense.org/dhcppptp/dhcppptp_v0.tar.gz
http://forum.pfsense.org/index.php/topic,24734.msg128543.html#msg128543I couldn't test it, since my firewall is in very production, but I should warn you that:
a. It's made for russian ISPs
b. He says it's a total alpha, so no guaranteesBut maybe, just maybe, someone can adapt his work and create something similar for 2.0. Maybe it's good that it comes in a package form?
-
But do you need a static IP on each of these connections and are they all with Hot ?
Can't you move some of these connections to MPLS and use only one with L2TP/PPTP for a static IP ? -
I wish. But we have several server farms (with pfsense of course) and we need to connect to the servers there - I can't change IPs every time the DHCP changes address.
-
This is by far a great FW with the L2TP/PPTP the only limitation for me.
I had to move to a PPTP/L2TP solution as the ISPs are forcing this by giving crappy service on DHCP only service.
Currently I installed a virtual linux with xl2tp client and so making double nat on linux and pfsense.I'm very experienced in networking, worked at the engineering of one of the ISP's in Israel.
I will try to make a very detailed general explanation of the process (not specific to how it should look on pf-sense):Setup before the process: l2tp/pptp server (not just IP, can be DNS entry of server), user/password
1.) Router (any router, could be windows client) - sends DHCP request to the cable company (not the ISP).
2.) Router Gets DHCP address from cable company - usually a private address but it doesn't matter if its public
3.) Router also get from DHCP default GW to the cable company and DNSes of the cable company (not DNS of the ISPs)
4.) Router performs DNS query for the l2tp/pptp server IP (the cable company has in their DNS servers all the servers of all the ISP's)
5.) Router should add static route of the IP it got to the l2tp/pptp server to the default GW of the cable company (as when the tunnels is created the default gw changes to it and we then can loose the tunnel)
6.) open l2tp/pptp tunnel to the IP we got
7.) remove the current default gw and change the gw to the tunnel interface (could be that default gw is pushed from the l2tp/pptp protocol so we just use it, but still remove the default gw of the cable company)
8.) DNSes are also pushed from the l2tp/pptp connectionWhat I do on linux scripts is save the resolve.conf of the cables, also get the default cables gw and resolved ip of the l2tp/pptp server to add the static route so the l2tp/pptp tunnel still goes to the cables GW and the rest of the traffic flows through the ppp0 tunnel interface
example:
I got from the cables a DHCP address of: 172.16.200.100 gw: 172.16.200.1 DNS: 192.168.101.101 (yes dns is private IP)
I resolve l2tp.bezeq.net to: 208.73.210.29
I route add 208.73.210.29/32 to (cables) gw 172.16.200.1
I open l2tp tunnel to: 208.73.210.29
on successful connection I add default gw to ppp0 interface (if not pushed from the tunnel, usually in configuration option on the l2tp client if dgw accepted), I should have also gotten the ISPs DNS servers from the tunnel.Hope this helps, please let me know if more information is needed.
I would love to see it works on pfsense. -
I created this to follow and not loose the description http://redmine.pfsense.org/issues/1349.