PPTP/L2TP on interfaces

Loke

@ermal:

Ask your huge management to give you time on this or the money needed.
Otherwise the answer is when its done.

I'm fully understand this.:)
Besides i need this for my own purposes, not for company. So why should they. ;D

@gnhb:

I'll take another look at this soon. I think 2.0 is feature frozen so if I get something useful going it will be in a different repository.

Ermal, any possibility to still put this in 2.0?

Actually it's not necessary to put this in 2.0. It would be great to make this feature to be available through package in 2.0 and include this in main repository in later versions. ;)

As for empty field with local IP, it's not necessary for mpd to work, but GUI claims it's missing local IP when you trying to apply changes. At least in case of PPTP (there is no L2TP on WAN). Local IP is useless in our case because internet providers provides IP (and other conf) to us by DHCP. And it appears to be confusing to many people because of all this. :)
Btw what ver of mpd uses pfSense 2.0 RC-1 at this moment? As far as i understand it's mpd5. Am i right?

eri--

Well for l2tp the changes should not be many intrusive.
If someone prepares a diff i will see how intrusive it is before release.

Loke

Ok. We all understand that we getting pfSense completely free of charge. But guys already made and will make in future a huge work. Any work should be paid in a particular way. And if we need some unplanned by developers features we could say "thank you" for those features and we can do this even before this feature implemented.
Few posts ago i wrote about "Vote" button on ticket's page. What if this votes will reflect not only number of people who need asked feature, but also who ready to support pfSense project with some amount of $. So there can be placed "Thank you" button. Pressing this button on feature ticket page we providing support for the project and developers got our gratitude for their work.
I suppose many people need discussed here feature (PPTP/L2TP on interfaces). So why not say "thank you" together. In this way we are not buying features but supporting their implementation. And this not mean developers owe this feature to us, no. This only make them more interested in particular feature to be done.
Do you love pfSense, do you want it became even more great? Spare few coins on the project. No fixed amount. As much as you can. I think guys deserve that much at least for their work.
I think this can make things in this project better. And make it grow faster.

P.S. Don't throw tomatoes in me and sorry for my english.

Loke

I've managed to make L2TP on WAN work.
Changes are similar to Micky's, but much easier. So what i've done:
In /etc/inc/interfaces.inc
after line 1175 added next:

	else if ($ppp['type'] == "pptp")
		$type = "l2tp";

so now we got:

	if ($ppp['type'] == "ppp")
		$type = "modem";
	else if ($ppp['type'] == "pptp")
		$type = "l2tp";
	else
		$type = $ppp['type'];

in line 1494 (was 1492 in orig) replacing this:

		if ($type == "pptp" || $type == "l2tp") {
			$mpdconf .= << <eod<br>set pptp self {$localips[$pid]}
	set pptp peer {$gateways[$pid]}
	set pptp disable windowing

EOD;</eod<br>

with this:

		if ($type == "pptp") {
			$mpdconf .= << <eod<br>set pptp peer {$gateways[$pid]}
	set pptp disable windowing

EOD;
		}

		if ($type == "l2tp") {
			$mpdconf .= << <eod<br>set l2tp peer {$gateways[$pid]}

EOD;
		}</eod<br></eod<br>

What we have now is instead of PPTP we got L2TP.
I know it's a silly way, but it works. On interfaces page is still looks like it's PPTP, but really it's L2TP.
After two simple changes /var/etc/mpd_wan.conf looks this way:

startup:
	# configure the console
	set console close
	# configure the web server
	set web close

default:
pptpclient:
	create bundle static wan
	set iface name pptp0
	set iface route default
	set iface disable on-demand
	set iface idle 0
	set iface enable tcpmssfix
	set iface up-script /usr/local/sbin/ppp-linkup
	set iface down-script /usr/local/sbin/ppp-linkdown
	set ipcp ranges 0.0.0.0/0 0.0.0.0/0
	set ipcp enable req-pri-dns
	set ipcp enable req-sec-dns
	#log -bund -ccp -chat -iface -ipcp -lcp -link

	create link static wan_link0 l2tp
	set link action bundle wan
	set link disable multilink
	set link keep-alive 10 60
	set link max-redial 0
	set link disable chap pap
	set link accept chap pap eap
	set link disable incoming
	set link mtu 1492
	set auth authname "your login"
	set auth password your pass
	set l2tp peer 10.0.0.28
	open

After those few changes all you need is:
1. Assign WAN as PPTP and fill in all required fields. Local IP also need to be filled because frontend will not allow you apply changes without it.
2. Enter the shell via SSH (or use "Command Promt" in "Diagnostics") and delete one of assigned to physical WAN interface aliases.
To do this you need to say in shell: ifconfig "your physical interface" delete "Local IP" (one you've assigned in step1) or reboot your firewall (1st way is more reasonable IMHO).
3. Assign your physical interface as OPT so you can see it's configuration (optional).

All those simple changes gives us DHCP+L2TP on WAN. To make this work in normal way more changes need to be done.
Iv'e done most of needed changes to add L2TP not just replace PPTP. Will share after final tests.

Loke

Ok. Now all changes are tested with positive results. :)
For now i'll attach few screens for demonstration. Diffs i'll post later.
This how /var/etc/mpd_wan.conf looks now:

startup:
	# configure the console
	set console close
	# configure the web server
	set web close

default:
l2tpclient:
	create bundle static wan
	set iface name l2tp0
	set iface route default
	set iface disable on-demand
	set iface idle 0
	set iface enable tcpmssfix
	set iface up-script /usr/local/sbin/ppp-linkup
	set iface down-script /usr/local/sbin/ppp-linkdown
	set ipcp ranges 0.0.0.0/0 0.0.0.0/0
	set ipcp enable req-pri-dns
	set ipcp enable req-sec-dns
	#log -bund -ccp -chat -iface -ipcp -lcp -link

	create link static wan_link0 l2tp
	set link action bundle wan
	set link disable multilink
	set link keep-alive 10 60
	set link max-redial 0
	set link disable chap pap
	set link accept chap pap eap
	set link disable incoming
	set link mtu 1492
	set auth authname "your_login"
	set auth password your_pass
	set l2tp peer 10.0.0.28
	open

Everything seems to work fine except l2tp auto-connect on restart. But for pptp everything works fine. I suppose in some place few lines for l2tp missing ::)

Loke

God damn! It's already done in last build (with little differences comparing to my changes) with same issue i got ;D No auto-connect after reboot.
Problem definitely related to local IP. If you don't fill this field connection is not going up after reboot.

gnhb

@Loke => There is already a L2TP configuration option in Interfaces(assign)=>PPPs=>Add/Edit PPP page. You don't need to re-invent. :)

Okay guys, I committed some fixes to the GUI code today. There is now a "Connect/Disconnect" button in Status=>Interfaces Page for L2TP links.

Also, you can configure L2TP client from the WAN (or OPTx) pages in the Interfaces menu now (interfaces.php).

I have (I think) working DHCP+L2TP/PPTP code in my repository. (I think only because I don't have an L2TP remote endpoint.)

I followed mickey's lead and forced the L2TP/PPTP link down if the DCHP lease is Released (or any time the DHCP interface is brought down by pfSense.) Is this desired behavior? I assume so.

PM me with your email address and I'll send you new /etc/inc/interfaces.inc and /etc/rc.newwanip files you can put on your box for testing.

If you guys test it out and it's solid I can ask the lead devs if it's okay to add it into 2.0.

Please watch out for what happens when the DHCP lease is renewed. I hope it doesn't kill and reload the L2TP/PPTP link, but please check for that.

If you're savvy with git-sync in pfSense developer shell, the you can git-sync to my repository here:
http://gitweb.pfsense.org/pfsense/gnhb-clone.git

Follow instructions here for git-sync but use this URL above:
http://iserv.nl/files/pfsense/ipv6/

Let me know what happens

GB

Loke

The problem we have now is L2TP not connecting on reboot if "local IP" field left empty. Also in /etc/inc/interfaces.inc strings set {$type} self {$localips[$pid]} and set {$type} disable windowing are unnecessary for L2TP and local IP is really not necessary at all.
So i suggest this way:

		if ($type == "pptp") {
			$mpdconf .= << <eod<br>set pptp peer {$gateways[$pid]}
	set pptp disable windowing

EOD;
		}

		if ($type == "l2tp") {
			$mpdconf .= << <eod<br>set l2tp peer {$gateways[$pid]}

EOD;
		}</eod<br></eod<br> 

And suggest to remove "Local IP" from configuration page like i did in my version. The only problem is at boot time something apparently needs this single string in config.xml:

<localip>0.0.0.0</localip>

And yes, it can be anything there, even 0.0.0.0

gnhb

To test the code in my repo, set up your DHCP interface (for example on OPT1) and select the "Enable DHCP+" checkbox.

Set up your L2TP interface using the Interfaces(assign) menue => PPPs tab => Add (+) button.
Select OPT1 for your Link Interface on that page. You must select OPT1 if you set up OPT1 as the DCHP+ interface.

Leave Local IP field empty.
Add your ISP's host name in Remote IP field.
Add other info you need and Save.

Then go assign that L2TP link to your WAN interface and Save.

Go to Status => Interfaces and check link status.
Go to Diagnostics => Routes and check that the static route to the DHCP gateway is added and also deleted when the L2TP link comes up and then is down again.

GB

@Loke => Some users may need the Local IP field so it will stay. mpd5 just ignores the windowing command for L2TP. We might take it out in the future.
RE: reboot issue. I have no knowledge of your configuration or your ISP setup. Are you trying to use DCHP+L2TP or just plain L2TP? I can't say anything about your reboot issue. Did you already post your config? I haven't seen it.

eri--

Loke, than just put 0.0.0.0 at local ip and be done with it.

Loke

@ermal:

Loke, than just put 0.0.0.0 at local ip and be done with it.

Actually i did this :).
gnhb, no matter need you local ip or not it must be field or there will be connect to L2TP server on startup. And i've made the same changes you did with some small diff in interfaces.php and it works the same way.

eri--

Loke,

if it does not startup at boot you better provide logs.

Loke

@ermal:

Loke,

if it does not startup at boot you better provide logs.

The funny thing is there is no errors related to this in logs. Everything seems to be fine, just it's not even trying to connect when there is no localip in config.xml
And i didn't found any dependence on this string except set {$type} self {$localips[$pid]} in interfaces.inc. But this problem is not related to this for sure.

roi

I am planing to setup a new machine this weekend just for testing this feature.
If there is any thing you'd like me to do-to-it-in-it

eri--

I just pushed the fix to allow empty localip.

gnhb

I just merged Ermal's changes into my repository and added some minor changes to bringing L2TP/PPTP interfaces up and down manually from Status=>Interfaces page.

Is anyone testing ???
Post feedback!

Thanks,
GB

Ozzik

Hi gnhb,
I sent you a pm asking for those files you mentioned.

thanks.

Ozzik

ok, testing it now. this is what happens:
installed new pfsense 23.3.11 snapshot, cloned gnhb's git and followed his instructions.

regular dhcp on WAN: works as usual (gets the cable network pool IP 172.x.x.x)
checked the dhcp+pptp or dhcp+l2tp on WAN interface, applied.
went to PPPs tab, selected the pptp, the physical WAN interface, typed user/pass, and since I couldn't remember the hostname of the ISP's pptp server - went with the IP. Left the local IP blank. Saved and went back to interface assignment and replaced the physical interface on WAN with the now created pptp. Saved.

It gave me an error at the upper side of the page, but couldn't read it as it was overlayed by the menu(but it did contain the interfaces file in it).
On interfaces status page the WAN connection was down, but had a "connect" button. After pressing that some sort of connection appeared although it was all zeros. On refresh it went back down.

Below are the logs.
In addition to that I decided to relive this experiment, so I changed the WAN back to the regular DHCP, but couldn't get a regular IP, so I rebooted the pfsense. To my surprise it came on asking to define the interfaces on the console(like it was a new setup), but after defining only the WAN it came up remembering the LAN address. Kind of weird.

Anyway, doing this all over again gave me the same results.
Changing PPTP to L2TP did the same.

Any ideas?

Log:
Mar 24 11:53:03 php: /interfaces.php: Creating rrd update script
Mar 24 11:53:03 apinger: No usable targets found, exiting
Mar 24 11:53:03 apinger: Starting Alarm Pinger, apinger(14804)
Mar 24 11:53:03 check_reload_status: reloading filter
Mar 24 11:53:02 apinger: Exiting on signal 15.
Mar 24 11:53:00 dnsmasq[12671]: read /etc/hosts - 2 addresses
Mar 24 11:53:00 check_reload_status: updating dyndns wan
Mar 24 11:53:00 dnsmasq[12671]: using nameserver 192.168.101.101#53
Mar 24 11:53:00 dnsmasq[12671]: using nameserver 192.168.101.102#53
Mar 24 11:53:00 dnsmasq[12671]: reading /etc/resolv.conf
Mar 24 11:53:00 dnsmasq[12671]: compile time options: IPv6 GNU-getopt no-DBus I18N DHCP TFTP
Mar 24 11:53:00 dnsmasq[12671]: started, version 2.55 cachesize 10000
Mar 24 11:52:59 dnsmasq[37582]: exiting on receipt of SIGTERM
Mar 24 11:52:59 kernel: ng0: changing name to 'pptp0'
Mar 24 11:52:57 php: /interfaces.php: wan: pptp link warning. Can't get gateway ip address for fxp0. No host route added for .
Mar 24 11:52:57 php: /interfaces.php: The command 'route -q delete -host 212.143.205.253' returned exit code '1', the output was 'route: writing to routing socket: No such process'
Mar 24 11:52:57 php: /interfaces.php: wan: pptp link configuration warning. No ip address configured on fxp0. Using 0.0.0.0 ip!
Mar 24 11:52:54 check_reload_status: syncing firewall
Mar 24 11:43:42 apinger: /usr/local/bin/rrdtool respawning too fast, waiting 300s.
Mar 24 11:42:44 kernel: ng0: changing name to 'pptp0'
Mar 24 11:42:42 php: /status_interfaces.php: wan: pptp link warning. Can't get gateway ip address for fxp0. No host route added for .
Mar 24 11:42:42 php: /status_interfaces.php: The command 'route -q delete -host 212.143.205.253' returned exit code '1', the output was 'route: writing to routing socket: No such process'
Mar 24 11:42:42 php: /status_interfaces.php: wan: pptp link configuration warning. No ip address configured on fxp0. Using 0.0.0.0 ip!
Mar 24 11:42:42 apinger: Error while feeding rrdtool: Broken pipe
Mar 24 11:42:18 php: /interfaces_assign.php: Creating rrd update script
Mar 24 11:42:18 check_reload_status: syncing firewall
Mar 24 11:42:18 dnsmasq[37582]: read /etc/hosts - 2 addresses
Mar 24 11:42:18 check_reload_status: updating dyndns wan
Mar 24 11:42:18 dnsmasq[37582]: using nameserver 192.168.101.101#53
Mar 24 11:42:18 dnsmasq[37582]: using nameserver 192.168.101.102#53
Mar 24 11:42:18 dnsmasq[37582]: reading /etc/resolv.conf
Mar 24 11:42:18 dnsmasq[37582]: compile time options: IPv6 GNU-getopt no-DBus I18N DHCP TFTP
Mar 24 11:42:18 dnsmasq[37582]: started, version 2.55 cachesize 10000
Mar 24 11:42:17 dnsmasq[33305]: exiting on receipt of SIGTERM
Mar 24 11:42:15 kernel: ng0: changing name to 'pptp0'
Mar 24 11:42:14 php: /interfaces_assign.php: wan: pptp link warning. Can't get gateway ip address for fxp0. No host route added for .
Mar 24 11:42:14 php: /interfaces_assign.php: The command 'route -q delete -host 212.143.205.253' returned exit code '1', the output was 'route: writing to routing socket: No such process'
Mar 24 11:42:14 php: /interfaces_assign.php: interfaces: bringing down interfaces dependent on: wan
Mar 24 11:42:13 dhclient[14456]: exiting.
Mar 24 11:42:13 dhclient[14456]: exiting.
Mar 24 11:42:13 dhclient[14456]: connection closed
Mar 24 11:42:13 dhclient[14456]: connection closed
Mar 24 11:42:05 check_reload_status: syncing firewall
Mar 24 11:42:03 check_reload_status: reloading filter
Mar 24 11:41:53 apinger: ALARM: WAN(172.24.64.1) *** down ***
Mar 24 11:41:42 php: /interfaces.php: Creating rrd update script
Mar 24 11:41:42 apinger: Starting Alarm Pinger, apinger(34719)
Mar 24 11:41:42 check_reload_status: reloading filter
Mar 24 11:41:41 apinger: Exiting on signal 15.
Mar 24 11:41:39 check_reload_status: updating dyndns wan
Mar 24 11:41:39 dnsmasq[33305]: read /etc/hosts - 2 addresses
Mar 24 11:41:39 dnsmasq[33305]: using nameserver 192.168.101.101#53
Mar 24 11:41:39 dnsmasq[33305]: using nameserver 192.168.101.102#53
Mar 24 11:41:39 dnsmasq[33305]: reading /etc/resolv.conf
Mar 24 11:41:39 dnsmasq[33305]: compile time options: IPv6 GNU-getopt no-DBus I18N DHCP TFTP
Mar 24 11:41:39 dnsmasq[33305]: started, version 2.55 cachesize 10000
Mar 24 11:41:38 dnsmasq[43468]: exiting on receipt of SIGTERM
Mar 24 11:41:38 dnsmasq[43468]: using nameserver 192.168.101.101#53
Mar 24 11:41:38 dnsmasq[43468]: using nameserver 192.168.101.102#53
Mar 24 11:41:38 dnsmasq[43468]: reading /etc/resolv.conf
Mar 24 11:41:37 php: : interfaces: reloading interfaces dependent on: wan
Mar 24 11:41:37 apinger: Starting Alarm Pinger, apinger(25236)
Mar 24 11:41:37 check_reload_status: reloading filter
Mar 24 11:41:36 apinger: Exiting on signal 15.
Mar 24 11:41:36 php: : ROUTING: change default route to 172.24.64.1
Mar 24 11:41:36 php: /interfaces.php: ROUTING: change default route to 172.24.64.1
Mar 24 11:41:36 php: : rc.newwanip: on (IP address: 172.24.64.217) (interface: wan) (real interface: fxp0).
Mar 24 11:41:35 php: : rc.newwanip: Informational is starting fxp0.
Mar 24 11:41:35 dhclient[14419]: bound to 172.24.64.217 – renewal in 1752 seconds.
Mar 24 11:41:35 check_reload_status: rc.newwanip starting fxp0
Mar 24 11:41:35 dhclient: Creating resolv.conf
Mar 24 11:41:35 dhclient: /sbin/route add default 172.24.64.1
Mar 24 11:41:35 dhclient: Adding new routes to interface: fxp0
Mar 24 11:41:35 dhclient: New Routers (fxp0): 172.24.64.1
Mar 24 11:41:35 dhclient: New Broadcast Address (fxp0): 255.255.255.255
Mar 24 11:41:35 dhclient: New Subnet Mask (fxp0): 255.255.224.0
Mar 24 11:41:35 dhclient: New IP Address (fxp0): 172.24.64.217
Mar 24 11:41:35 dhclient: ifconfig fxp0 inet 172.24.64.217 netmask 255.255.224.0 broadcast 255.255.255.255
Mar 24 11:41:35 dhclient: Starting add_new_address()
Mar 24 11:41:35 dhclient: REBOOT
Mar 24 11:41:35 dhclient[14419]: DHCPACK from 10.175.192.1
Mar 24 11:41:35 dhclient[14419]: DHCPREQUEST on fxp0 to 255.255.255.255 port 67
Mar 24 11:41:35 dhclient: PREINIT
Mar 24 11:41:35 php: /interfaces.php: interfaces: bringing down interfaces dependent on: wan
Mar 24 11:41:34 php: /interfaces.php: The command '/bin/kill 12928' returned exit code '1', the output was 'kill: 12928: No such process'
Mar 24 11:41:34 dhclient[7500]: exiting.
Mar 24 11:41:34 dhclient[7500]: exiting.
Mar 24 11:41:34 dhclient[7500]: connection closed
Mar 24 11:41:34 dhclient[7500]: connection closed
Mar 24 11:41:34 dhclient: FAIL
Mar 24 11:41:24 check_reload_status: syncing firewall
Mar 24 11:41:02 apinger: Error while feeding rrdtool: Broken pipe
Mar 24 11:40:22 check_reload_status: reloading filter
Mar 24 11:40:12 check_reload_status: reloading filter
Mar 24 11:40:12 apinger: ALARM: WAN(172.24.64.1) *** down ***
Mar 24 11:40:11 sshlockout[15621]: sshlockout/webConfigurator v3.0 starting up
Mar 24 11:40:11 login: login on ttyv0 as root
Mar 24 11:40:10 php: : IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Mar 24 11:40:10 php: : Resyncing configuration for all packages.
Mar 24 11:40:09 php: : Creating rrd update script
Mar 24 11:40:07 php: : Resyncing OpenVPN instances for interface WAN.
Mar 24 11:40:04 dnsmasq[43468]: read /etc/hosts - 2 addresses
Mar 24 11:40:04 dnsmasq[43468]: using nameserver 192.168.101.101#53
Mar 24 11:40:04 dnsmasq[43468]: using nameserver 192.168.101.102#53
Mar 24 11:40:04 check_reload_status: updating all dyndns
Mar 24 11:40:04 dnsmasq[43468]: reading /etc/resolv.conf
Mar 24 11:40:04 dnsmasq[43468]: compile time options: IPv6 GNU-getopt no-DBus I18N DHCP TFTP
Mar 24 11:40:04 dnsmasq[43468]: started, version 2.55 cachesize 10000
Mar 24 11:40:04 php: : ROUTING: change default route to 172.24.64.1
Mar 24 11:40:02 apinger: Starting Alarm Pinger, apinger(26066)
Mar 24 11:40:02 check_reload_status: reloading filter
Mar 24 11:40:01 php: : ROUTING: change default route to 172.24.64.1
Mar 24 11:40:01 php: : rc.newwanip: on (IP address: 172.24.64.217) (interface: wan) (real interface: fxp0).
Mar 24 11:40:01 php: : rc.newwanip: Informational is starting fxp0.
Mar 24 11:40:00 kernel: pflog0: promiscuous mode enabled

Ozzik

And this is what happens if I type in the ISP's pptp server hostname:

Mar 24 12:06:18 php: /status_interfaces.php: wan: pptp link configuration failed. No ip address found for cable.netvision.net.il.
Mar 24 12:06:18 php: /status_interfaces.php: wan: pptp link configuration warning. No ip address configured on fxp0. Using 0.0.0.0 ip!
Mar 24 12:06:05 check_reload_status: syncing firewall

gnhb

@Ozzik => Yes I can see what is happening. You must select "the OPTx" interface and not the physical interface as your "Link Interface" when you set up the PPTP connection.

GB