PPTP/L2TP on interfaces

elade

pfSense has to support so many network topologies that we need to make sure it's done in a clean and maintainable way

No argument here.

See here for example: http://redmine.pfsense.org/issues/838 (This is one small issue that needed to be cleared up before we can possibly support your network/ISP configuration.)

it seems like this is issue is resolved, isn't it?

Anyway, just wanted to make sure this problem is being worked on and whether I can start testing it.
Thanks.

hi all,
is there any news regarding this issue ?

Ozzik

guys, is there any update on this?

roi

I triad again several snaps ago and it was not working. :'(

Guldil

For info in France we have an ISP with same problem :
Numericable with DHCP for classic client.
For Fixed IP, they use a L2TP tunnel on WAN.

gnhb

Does the DHCP server give you a public IP address?
GB

Ozzik

Hi,
so as I understand this whole thing will not make it into the 2.0 release?
Will we have to manually do the changes Micky was doing?
Or is it also obsolete due to some changes in the code?

Thanks.

Guldil

Yes default mode is a public ip from DHCP.
And if you want to use the static IP you have to go to L2TP.

Ozzik

Guldil,
pretty much like us, only it's not very easy to get the ISP give you a DHCP public IP (you have to fight for that). But most businesses only use static IPs so it's irrelevant. We need the PPTP/L2TP badly.

Guldil

It's really annoying for us because we have really good transfer :
30Mbps download / 1Mbps Upload and some of us have 100 Mbps download / 5 mbps upload…

And the really bad part of this, looks like my current router dont have the CPU to handle the L2TP tunnel at 30Mbps... so i don't use my static ip :(

roi

The way it is set at the moment is that every ISP "give" HOT, the cable company a block of IP's.
Hot know what client is connected with what ISP using the cable modem's MAC. using this it assign the client a IP from the ISP's block and do MPLS routing to the ISP's network. this way when the MPLS is done, the client already have the correct IP,DNS and any other settings it need and all it need to do is request them using DHCP.

BUT-
If you want a static IP, you cant use MPLS and you need to go back to the old way - L2TP or PPTP. this is the only way the ISP's system can recognize you by the user/pass and "assigne" you the correct static IP.

I need a static IP so I need this to work.
At the moment I use another router in the middle that all it's doing is the L2TP connection.

Ozzik

Hi roi,
I used to have another router(Level One) too in work environment for connecting to PPTP, however it's not very practical since these small $50 pieces of sh#t can't really handle the load of 70-80 users surfing the 3x10Mb lines.
The RRD quality graph would show over a 100ms just pinging the router from pfSense, because it was so overloaded.
And of course, buying an expensive equipment just for dialing - doesn't make sense.

By the way, I don't know if any of you know this, but there's a guy named Evgeny, that created a package for doing something very similar but for version 1.2.3: http://ru.doc.pfsense.org/dhcppptp/dhcppptp_v0.tar.gz
http://forum.pfsense.org/index.php/topic,24734.msg128543.html#msg128543

I couldn't test it, since my firewall is in very production, but I should warn you that:
a. It's made for russian ISPs
b. He says it's a total alpha, so no guarantees

But maybe, just maybe, someone can adapt his work and create something similar for 2.0. Maybe it's good that it comes in a package form?

roi

But do you need a static IP on each of these connections and are they all with Hot ?
Can't you move some of these connections to MPLS and use only one with L2TP/PPTP for a static IP ?

Ozzik

I wish. But we have several server farms (with pfsense of course) and we need to connect to the servers there - I can't change IPs every time the DHCP changes address.

sevet

This is by far a great FW with the L2TP/PPTP the only limitation for me.

I had to move to a PPTP/L2TP solution as the ISPs are forcing this by giving crappy service on DHCP only service.
Currently I installed a virtual linux with xl2tp client and so making double nat on linux and pfsense.

I'm very experienced in networking, worked at the engineering of one of the ISP's in Israel.
I will try to make a very detailed general explanation of the process (not specific to how it should look on pf-sense):

Setup before the process: l2tp/pptp server (not just IP, can be DNS entry of server), user/password

1.) Router (any router, could be windows client) - sends DHCP request to the cable company (not the ISP).
2.) Router Gets DHCP address from cable company - usually a private address but it doesn't matter if its public
3.) Router also get from DHCP default GW to the cable company and DNSes of the cable company (not DNS of the ISPs)
4.) Router performs DNS query for the l2tp/pptp server IP (the cable company has in their DNS servers all the servers of all the ISP's)
5.) Router should add static route of the IP it got to the l2tp/pptp server to the default GW of the cable company (as when the tunnels is created the default gw changes to it and we then can loose the tunnel)
6.) open l2tp/pptp tunnel to the IP we got
7.) remove the current default gw and change the gw to the tunnel interface (could be that default gw is pushed from the l2tp/pptp protocol so we just use it, but still remove the default gw of the cable company)
8.) DNSes are also pushed from the l2tp/pptp connection

What I do on linux scripts is save the resolve.conf of the cables, also get the default cables gw and resolved ip of the l2tp/pptp server to add the static route so the l2tp/pptp tunnel still goes to the cables GW and the rest of the traffic flows through the ppp0 tunnel interface

example:

I got from the cables a DHCP address of: 172.16.200.100 gw: 172.16.200.1 DNS: 192.168.101.101 (yes dns is private IP)
I resolve l2tp.bezeq.net to: 208.73.210.29
I route add 208.73.210.29/32 to (cables) gw 172.16.200.1
I open l2tp tunnel to: 208.73.210.29
on successful connection I add default gw to ppp0 interface (if not pushed from the tunnel, usually in configuration option on the l2tp client if dgw accepted), I should have also gotten the ISPs DNS servers from the tunnel.

Hope this helps, please let me know if more information is needed.
I would love to see it works on pfsense.

eri--

I created this to follow and not loose the description http://redmine.pfsense.org/issues/1349.

Loke

Need L2TP on WAN interface badly as well. So many changes in 2.0 and still no L2TP and still no DHCP+PPPoE/PPTP/L2TP. I don't understand why. Why so many useless crap added and no badly needed by so many people features…

Ozzik

Why so many useless crap added and no badly needed by so many people features…

hey, come on man, don't say that. These guys work really hard and are not asking for a penny in return. You should be grateful.
Plus, don't forget that if you don't need some feature (or 10 of them) - doesn't mean nobody does, after all - these were all requested things.

This situation with the PPTP/L2TP dialer really sucks, but as I understood from one of the devs - they don't want to break a bunch of already working stuff just to implement this feature. But now that we have a better explanation (thanks, sevet) of this process, maybe it will be easier to work out. Or like I said before, maybe it would be easier to implement as a package, so that we don't have have to wait for the next version.

sevet

@ermal:

I created this to follow and not loose the description http://redmine.pfsense.org/issues/1349.

Thanks for adding this ermal :)

Implementing what I wrote will be great, the next step should be also implementing some sort of keep alive mechanism as l2tp/pptp connections tend to disconnect sometimes…

Usually the l2tp/pptp dialers (like xl2tp for linux) have internal mechanisms to redial when connection is dropped but that can be problematic in some cases:

Explanation:
The one IP we get by resolving the dns entry of the l2tp/pptp server is usually a load balanced IP, some ISPs use simple DNS load balance, so when we resolve the example l2tp.bezeq.net we can get from the DNS more than one IP, sometimes the address represent a load balancer (cluster) that hold many servers under it.
The ISPs tend to (not frequently) refresh those IPs, so systems with long uptime with the method I wrote which the dialer use an IP and not dns entry can try to connect to a server which no longer exist.
The problem in using the DNS entry (not the IP) is that we get the IP for the server from the cables DNS and then we move to the ISP dns, the ISP dns does hold that entry but if we loose the connection we won't reach it....

So there are two issues I deal with implementing this on linux boxes that I connect this way:
1. Detecting the fault
2. Handling the fault

For detection I use a simple ping to the first hop after the tunnel, I put it statically in my scripts, this is not that good as that ip might change as well, for a production grade system like pfsense this can be done as a configuration option what to ping (track ip) or even dynamically maybe doing a trace route and putting the first hop (trace route can be done to any public IP but not private as it might be blocked by anti spoofing mechanisms)

To handle the fault I just clear everything: stop the l2tp/pptp deamon, ifdown the DHCP interface (the one connected to the cables modem) then bring the interface back up get DHCP address and start the process.

A more complicated way would be to just stop the l2tp/pptp daemon remove the static route (we have to remember what it was) change back to the DNS of the cables and start the process from number step 4.

I will be glad to help in anyway if needed.

Loke

@Ozzik:

Why so many useless crap added and no badly needed by so many people features…

hey, come on man, don't say that. These guys work really hard and are not asking for a penny in return. You should be grateful.
Plus, don't forget that if you don't need some feature (or 10 of them) - doesn't mean nobody does, after all - these were all requested things.

I'm grateful, really. Many thanks to guys for doing this really hard work. ;) But really. Is it too hard to implement this feature? No, i don't think so. Every crappy cheap router based on unix got this, m0n0wall got this (mod really, but not important). What so hard in this? All this done with mpd, like PPTP and PPPoE. What's the problem? Damn, pfSense got even L2TP server, but no client. I see the only reason why it's not there. Only Russia and Israel needs this, so who cares right. :-\ So like you said. If someone don't need some feature (L2TP) doesn't mean nobody (plenty of other people) does. But it's not there. Not in 1.2.3 not even in 2.0 feature list. I don't really get it. Why??? ???
I love pfSense! It's a really great BSD based firewall! But so small and meanwhile so important feature missing and this makes me sad. :'( I'm forced to use cheap router only to maintain dialing, but you can imagine performance of this connection.

P.S. No offence please, just trying to understand. ;)

Loke

@sevet:

@ermal:

I created this to follow and not loose the description http://redmine.pfsense.org/issues/1349.

Explanation:
The one IP we get by resolving the dns entry of the l2tp/pptp server is usually a load balanced IP, some ISPs use simple DNS load balance, so when we resolve the example l2tp.bezeq.net we can get from the DNS more than one IP, sometimes the address represent a load balancer (cluster) that hold many servers under it.
The ISPs tend to (not frequently) refresh those IPs, so systems with long uptime with the method I wrote which the dialer use an IP and not dns entry can try to connect to a server which no longer exist.
The problem in using the DNS entry (not the IP) is that we get the IP for the server from the cables DNS and then we move to the ISP dns, the ISP dns does hold that entry but if we loose the connection we won't reach it….

See no problem in this. Can be solved with script.

IF drop L2TP connect -> reconnect IF no luck n times -> release WAN DHCP interface -> renew WAN DHCP interface -> connect to somel2tp.something.com

Quite simplified, but you get the point, i hope :)