PPTP/L2TP on interfaces

Ozzik · Sep 1, 2010, 1:02 PM

Hi,
are there any news on this? Are Micky's suggestions implemented?
Unfortunately, it's impossible for me to test it in production, but I'd be happy to try a more stable version of this.

Thanks.

gnhb · Sep 4, 2010, 2:14 AM

Micky's suggestions aren't implemented.
I'm sure what he's done works, and there are lots of ways to make this one use case work, but pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way and we haven't sorted that out yet.

We're still discussing this issue among the devs and trying to figure out if and how to officially get the functionality into the code base.

See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)

GB

Ozzik · Sep 4, 2010, 6:56 AM

pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way

No argument here.

See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)

it seems like this is issue is resolved, isn't it?

Anyway, just wanted to make sure this problem is being worked on and whether I can start testing it.
Thanks.

elade · Sep 26, 2010, 7:57 AM

@Ozzik:

pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way

No argument here.

See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)

it seems like this is issue is resolved, isn't it?

Anyway, just wanted to make sure this problem is being worked on and whether I can start testing it.
Thanks.

hi all,
is there any news regarding this issue ?

Ozzik · Nov 7, 2010, 7:40 PM

guys, is there any update on this?

roi · Nov 7, 2010, 9:47 PM

I triad again several snaps ago and it was not working. :'(

Guldil · Feb 25, 2011, 5:15 PM

For info in France we have an ISP with same problem :
Numericable with DHCP for classic client.
For Fixed IP, they use a L2TP tunnel on WAN.

gnhb · Feb 26, 2011, 9:58 AM

Does the DHCP server give you a public IP address?
GB

Ozzik · Feb 26, 2011, 10:19 AM

Hi,
so as I understand this whole thing will not make it into the 2.0 release?
Will we have to manually do the changes Micky was doing?
Or is it also obsolete due to some changes in the code?

Thanks.

Guldil · Feb 26, 2011, 12:24 PM

Yes default mode is a public ip from DHCP.
And if you want to use the static IP you have to go to L2TP.

Ozzik · Feb 26, 2011, 12:29 PM

Guldil,
pretty much like us, only it's not very easy to get the ISP give you a DHCP public IP (you have to fight for that). But most businesses only use static IPs so it's irrelevant. We need the PPTP/L2TP badly.

Guldil · Feb 27, 2011, 5:49 PM

It's really annoying for us because we have really good transfer :
30Mbps download / 1Mbps Upload and some of us have 100 Mbps download / 5 mbps upload…

And the really bad part of this, looks like my current router dont have the CPU to handle the L2TP tunnel at 30Mbps... so i don't use my static ip :(

roi · Feb 28, 2011, 2:04 PM

The way it is set at the moment is that every ISP "give" HOT, the cable company a block of IP's.
Hot know what client is connected with what ISP using the cable modem's MAC. using this it assign the client a IP from the ISP's block and do MPLS routing to the ISP's network. this way when the MPLS is done, the client already have the correct IP,DNS and any other settings it need and all it need to do is request them using DHCP.

BUT-
If you want a static IP, you cant use MPLS and you need to go back to the old way - L2TP or PPTP. this is the only way the ISP's system can recognize you by the user/pass and "assigne" you the correct static IP.

I need a static IP so I need this to work.
At the moment I use another router in the middle that all it's doing is the L2TP connection.

Ozzik · Feb 28, 2011, 2:32 PM

Hi roi,
I used to have another router(Level One) too in work environment for connecting to PPTP, however it's not very practical since these small $50 pieces of sh#t can't really handle the load of 70-80 users surfing the 3x10Mb lines.
The RRD quality graph would show over a 100ms just pinging the router from pfSense, because it was so overloaded.
And of course, buying an expensive equipment just for dialing - doesn't make sense.

By the way, I don't know if any of you know this, but there's a guy named Evgeny, that created a package for doing something very similar but for version 1.2.3: http://ru.doc.pfsense.org/dhcppptp/dhcppptp_v0.tar.gz
http://forum.pfsense.org/index.php/topic,24734.msg128543.html#msg128543

I couldn't test it, since my firewall is in very production, but I should warn you that:
a. It's made for russian ISPs
b. He says it's a total alpha, so no guarantees

But maybe, just maybe, someone can adapt his work and create something similar for 2.0. Maybe it's good that it comes in a package form?

roi · Feb 28, 2011, 7:32 PM

But do you need a static IP on each of these connections and are they all with Hot ?
Can't you move some of these connections to MPLS and use only one with L2TP/PPTP for a static IP ?

Ozzik · Feb 28, 2011, 9:51 PM

I wish. But we have several server farms (with pfsense of course) and we need to connect to the servers there - I can't change IPs every time the DHCP changes address.

sevet · Mar 13, 2011, 2:47 PM

This is by far a great FW with the L2TP/PPTP the only limitation for me.

I had to move to a PPTP/L2TP solution as the ISPs are forcing this by giving crappy service on DHCP only service.
Currently I installed a virtual linux with xl2tp client and so making double nat on linux and pfsense.

I'm very experienced in networking, worked at the engineering of one of the ISP's in Israel.
I will try to make a very detailed general explanation of the process (not specific to how it should look on pf-sense):

Setup before the process: l2tp/pptp server (not just IP, can be DNS entry of server), user/password

1.) Router (any router, could be windows client) - sends DHCP request to the cable company (not the ISP).
2.) Router Gets DHCP address from cable company - usually a private address but it doesn't matter if its public
3.) Router also get from DHCP default GW to the cable company and DNSes of the cable company (not DNS of the ISPs)
4.) Router performs DNS query for the l2tp/pptp server IP (the cable company has in their DNS servers all the servers of all the ISP's)
5.) Router should add static route of the IP it got to the l2tp/pptp server to the default GW of the cable company (as when the tunnels is created the default gw changes to it and we then can loose the tunnel)
6.) open l2tp/pptp tunnel to the IP we got
7.) remove the current default gw and change the gw to the tunnel interface (could be that default gw is pushed from the l2tp/pptp protocol so we just use it, but still remove the default gw of the cable company)
8.) DNSes are also pushed from the l2tp/pptp connection

What I do on linux scripts is save the resolve.conf of the cables, also get the default cables gw and resolved ip of the l2tp/pptp server to add the static route so the l2tp/pptp tunnel still goes to the cables GW and the rest of the traffic flows through the ppp0 tunnel interface

example:

I got from the cables a DHCP address of: 172.16.200.100 gw: 172.16.200.1 DNS: 192.168.101.101 (yes dns is private IP)
I resolve l2tp.bezeq.net to: 208.73.210.29
I route add 208.73.210.29/32 to (cables) gw 172.16.200.1
I open l2tp tunnel to: 208.73.210.29
on successful connection I add default gw to ppp0 interface (if not pushed from the tunnel, usually in configuration option on the l2tp client if dgw accepted), I should have also gotten the ISPs DNS servers from the tunnel.

Hope this helps, please let me know if more information is needed.
I would love to see it works on pfsense.

eri-- · Mar 13, 2011, 8:52 PM

I created this to follow and not loose the description http://redmine.pfsense.org/issues/1349.

Loke · Mar 13, 2011, 9:31 PM

Need L2TP on WAN interface badly as well. So many changes in 2.0 and still no L2TP and still no DHCP+PPPoE/PPTP/L2TP. I don't understand why. Why so many useless crap added and no badly needed by so many people features…

Ozzik · Mar 13, 2011, 10:20 PM

Why so many useless crap added and no badly needed by so many people features…

hey, come on man, don't say that. These guys work really hard and are not asking for a penny in return. You should be grateful.
Plus, don't forget that if you don't need some feature (or 10 of them) - doesn't mean nobody does, after all - these were all requested things.

This situation with the PPTP/L2TP dialer really sucks, but as I understood from one of the devs - they don't want to break a bunch of already working stuff just to implement this feature. But now that we have a better explanation (thanks, sevet) of this process, maybe it will be easier to work out. Or like I said before, maybe it would be easier to implement as a package, so that we don't have have to wait for the next version.