Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PPTP/L2TP on interfaces

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    150 Posts 16 Posters 89.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ozzik
      last edited by

      Hi,
      are there any news on this? Are Micky's suggestions implemented?
      Unfortunately, it's impossible for me to test it in production, but I'd be happy to try a more stable version of this.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • G
        gnhb
        last edited by

        Micky's suggestions aren't implemented.
        I'm sure what he's done works, and there are lots of ways to make this one use case work, but pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way and we haven't sorted that out yet.

        We're still discussing this issue among the devs and trying to figure out if and how to officially get the functionality into the code base.

        See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)

        GB

        1 Reply Last reply Reply Quote 0
        • O
          Ozzik
          last edited by

          pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way

          No argument here.

          See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)

          it seems like this is issue is resolved, isn't it?

          Anyway, just wanted to make sure this problem is being worked on and whether I can start testing it.
          Thanks.

          1 Reply Last reply Reply Quote 0
          • E
            elade
            last edited by

            @Ozzik:

            pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way

            No argument here.

            See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)

            it seems like this is issue is resolved, isn't it?

            Anyway, just wanted to make sure this problem is being worked on and whether I can start testing it.
            Thanks.

            hi all,
            is there any news regarding this issue ?

            1 Reply Last reply Reply Quote 0
            • O
              Ozzik
              last edited by

              guys, is there any update on this?

              1 Reply Last reply Reply Quote 0
              • R
                roi
                last edited by

                I triad again several snaps ago and it was not working.  :'(

                Version 2.0-BETA4 (i386)
                AMD Athlon™ XP 2000+

                1 Reply Last reply Reply Quote 0
                • G
                  Guldil
                  last edited by

                  For info in France we have an ISP with same problem :
                  Numericable with DHCP for classic client.
                  For Fixed IP, they use a L2TP tunnel on WAN.

                  1 Reply Last reply Reply Quote 0
                  • G
                    gnhb
                    last edited by

                    Does the DHCP server give you a public IP address?
                    GB

                    1 Reply Last reply Reply Quote 0
                    • O
                      Ozzik
                      last edited by

                      Hi,
                      so as I understand this whole thing will not make it into the 2.0 release?
                      Will we have to manually do the changes Micky was doing?
                      Or is it also obsolete due to some changes in the code?

                      Thanks.

                      1 Reply Last reply Reply Quote 0
                      • G
                        Guldil
                        last edited by

                        Yes default mode is a public ip from DHCP.
                        And if you want to use the static IP you have to go to L2TP.

                        1 Reply Last reply Reply Quote 0
                        • O
                          Ozzik
                          last edited by

                          Guldil,
                          pretty much like us, only it's not very easy to get the ISP give you a DHCP public IP (you have to fight for that). But most businesses only use static IPs so it's irrelevant. We need the PPTP/L2TP badly.

                          1 Reply Last reply Reply Quote 0
                          • G
                            Guldil
                            last edited by

                            It's really annoying for us because we have really good transfer :
                            30Mbps download / 1Mbps Upload and some of us have 100 Mbps download / 5 mbps upload…

                            And the really bad part of this, looks like my current router dont have the CPU to handle the L2TP tunnel at 30Mbps... so i don't use my static ip :(

                            1 Reply Last reply Reply Quote 0
                            • R
                              roi
                              last edited by

                              The way it is set at the moment is that every ISP "give" HOT, the cable company a block of IP's.
                              Hot know what client is connected with what ISP using the cable modem's MAC. using this it assign the client a IP from the ISP's block and do MPLS routing to the ISP's network. this way when the MPLS is done, the client already have the correct IP,DNS and any other settings it need and all it need to do is request them using DHCP.

                              BUT-
                              If you want a static IP, you cant use MPLS and you need to go back to the old way - L2TP or PPTP. this is the only way the ISP's system can recognize you by the user/pass and "assigne" you the correct static IP.

                              I need a static IP so I need this to work.
                              At the moment I use another router in the middle that all it's doing is the L2TP connection.

                              Version 2.0-BETA4 (i386)
                              AMD Athlon™ XP 2000+

                              1 Reply Last reply Reply Quote 0
                              • O
                                Ozzik
                                last edited by

                                Hi roi,
                                I used to have another router(Level One) too in work environment for connecting to PPTP, however it's not very practical since these small $50 pieces of sh#t can't really handle the load of 70-80 users surfing the 3x10Mb lines.
                                The RRD quality graph would show over a 100ms just pinging the router from pfSense, because it was so overloaded.
                                And of course, buying an expensive equipment just for dialing - doesn't make sense.

                                By the way, I don't know if any of you know this, but there's a guy named Evgeny, that created a package for doing something very similar but for version 1.2.3: http://ru.doc.pfsense.org/dhcppptp/dhcppptp_v0.tar.gz
                                http://forum.pfsense.org/index.php/topic,24734.msg128543.html#msg128543

                                I couldn't test it, since my firewall is in very production, but I should warn you that:
                                a. It's made for russian ISPs
                                b. He says it's a total alpha, so no guarantees

                                But maybe, just maybe, someone can adapt his work and create something similar for 2.0. Maybe it's good that it comes in a package form?

                                1 Reply Last reply Reply Quote 0
                                • R
                                  roi
                                  last edited by

                                  But do you need a static IP on each of these connections and are they all with Hot ?
                                  Can't you move some of these connections to MPLS and use only one with L2TP/PPTP for a static IP ?

                                  Version 2.0-BETA4 (i386)
                                  AMD Athlon™ XP 2000+

                                  1 Reply Last reply Reply Quote 0
                                  • O
                                    Ozzik
                                    last edited by

                                    I wish. But we have several server farms (with pfsense of course) and we need to connect to the servers there - I can't change IPs every time the DHCP changes address.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sevet
                                      last edited by

                                      This is by far a great FW with the L2TP/PPTP the only limitation for me.

                                      I had to move to a PPTP/L2TP solution as the ISPs are forcing this by giving crappy service on DHCP only service.
                                      Currently I installed a virtual linux with xl2tp client and so making double nat on linux and pfsense.

                                      I'm very experienced in networking, worked at the engineering of one of the ISP's in Israel.
                                      I will try to make a very detailed general explanation of the process (not specific to how it should look on pf-sense):

                                      Setup before the process: l2tp/pptp server (not just IP, can be DNS entry of server), user/password

                                      1.) Router (any router, could be windows client) - sends DHCP request to the cable company (not the ISP).
                                      2.) Router Gets DHCP address from cable company - usually a private address but it doesn't matter if its public
                                      3.) Router also get from DHCP default GW to the cable company and DNSes of the cable company (not DNS of the ISPs)
                                      4.) Router performs DNS query for the l2tp/pptp server IP (the cable company has in their DNS servers all the servers of all the ISP's)
                                      5.) Router should add static route of the IP it got to the l2tp/pptp server to the default GW of the cable company (as when the tunnels is created the default gw changes to it and we then can loose the tunnel)
                                      6.) open l2tp/pptp tunnel to the IP we got
                                      7.) remove the current default gw and change the gw to the tunnel interface (could be that default gw is pushed from the l2tp/pptp protocol so we just use it, but still remove the default gw of the cable company)
                                      8.) DNSes are also pushed from the l2tp/pptp connection

                                      What I do on linux scripts is save the resolve.conf of the cables, also get the default cables gw and resolved ip of the l2tp/pptp server to add the static route so the l2tp/pptp tunnel still goes to the cables GW and the rest of the traffic flows through the ppp0 tunnel interface

                                      example:

                                      I got from the cables a DHCP address of: 172.16.200.100  gw: 172.16.200.1  DNS: 192.168.101.101 (yes dns is private IP)
                                      I resolve l2tp.bezeq.net to: 208.73.210.29
                                      I route add  208.73.210.29/32 to (cables) gw 172.16.200.1
                                      I open l2tp tunnel to: 208.73.210.29
                                      on successful connection I add default gw to ppp0 interface (if not pushed from the tunnel, usually in configuration option on the l2tp client if dgw accepted), I should have also gotten the ISPs DNS servers from the tunnel.

                                      Hope this helps, please let me know if more information is needed.
                                      I would love to see it works on pfsense.

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        eri--
                                        last edited by

                                        I created this to follow and not loose the description http://redmine.pfsense.org/issues/1349.

                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          Loke
                                          last edited by

                                          Need L2TP on WAN interface badly as well. So many changes in 2.0 and still no L2TP and still no DHCP+PPPoE/PPTP/L2TP. I don't understand why. Why so many useless crap added and no badly needed by so many people features…

                                          You need to be a master of tough voodoo to be a guru.

                                          1 Reply Last reply Reply Quote 0
                                          • O
                                            Ozzik
                                            last edited by

                                            Why so many useless crap added and no badly needed by so many people features…

                                            hey, come on man, don't say that. These guys work really hard and are not asking for a penny in return. You should be grateful.
                                            Plus, don't forget that if you don't need some feature (or 10 of them) - doesn't mean nobody does, after all - these were all requested things.

                                            This situation with the PPTP/L2TP dialer really sucks, but as I understood from one of the devs - they don't want to break a bunch of already working stuff just to implement this feature. But now that we have a better explanation (thanks, sevet) of this process, maybe it will be easier to work out. Or like I said before, maybe it would be easier to implement as a package, so that we don't have have to wait for the next version.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.