PPTP/L2TP on interfaces

roi

Using the hardware above I triad to connect today.

2.0-RC1 (i386) built on Fri Apr 1 12:38:39 EDT 2011
First I set WAN to DHCP, assighen to interface sk0.
Got IP: 172.19.180.19, Gateway 172.19.176.1, Subnet mask 255.255.248.0
Got DNS server(s) : 192.168.101.101 & 192.168.101.102
Triad Ping : hot.bezeqint.net
PING l2tp.i014.net (212.25.127.14) from 172.19.180.19: 56 data bytes
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 10.448/13.610/17.584/2.969 ms

Until here it's OK.

Interfaces >> assign >> PPPs >>
Created a new L2TP link.
Interface is set to sk0 (wan) and gageway "hot.bezeqint.com

Interfaces >> assign >>
create a new interface (opt1) with l2tp0 as the Network port.

chenged l2tp0's interface to opt1.

swaped opt1 & wan.

Nothing. it will not connect.
Am I doing something wrong ?

Ozzik

@roi: yes.
Here's how you do it:

1. After installing pfSense connect by SSH or from the console choose 12) pfSense Developer Shell.
Type: playback gitsync. After it finishes installing all the needed packages type http://gitweb.pfsense.org/pfsense/gnhb-clone.git and answer yes to all questions or just press enter. Reboot.
After that you may also want to go to System->Firmware and add this link permanently (this section will be shown only after the first gitsync and reboot). This way it will sync after every upgrade.

2. Assuming you only have WAN and LAN and WAN is connected directly to the modem, go to Interfaces->WAN and set it to DHCP. In a lower section you'll see another checkbox "Enable DHCP+L2TP or DHCP+PPTP." You'll only see it after the gitsync. Check it. Save. Apply.

3. Go to Interfaces->(assign). Choose PPPs tab and add new. Choose L2TP, then in "Link interface(s)" choose WAN, not your physical WAN, but just WAN. Type in your username/password and the ISP's VPN server (in this case hot.bezeqint.net). Leave the "Local IP" empty. Save.

4. Go to Interfaces->(assign) again and add a new interface (OPT1). Assign the newly created L2TP to it and save.
Go to Interfaces->OPT1 and enable it. Save.

Time to check.

5. If you want the L2TP to connect automatically after reboot you have to make sure that the DHCP interface (WAN in this case) is initiated before the L2TP interface (OPT1 in this case), i.e WAN->LAN->OPT1->OPT2 and so on. It usually takes 10-30 sec for the L2TP to connect after the reboot, but it does so automatically.

6. If for some reason you see L2TP connected, but the only thing you can ping is your ISP's VPN server - you have the default route wrong. Go to System->Routes and set the right route (public IP, not the 172.x.x.x) to default.

Hope it helps.

xbipin

is the below possible

vr1 - WAN (connects using pppoe for internet)

is it possible to use pppoe on vr1 and then use pptp to connect to remote pptp server using the internet after the pppoe is connected?

eri--

xbipin,

if you create the pptp as an OPTx interface it will try connecting until it can. But really it cannot be supported on 2.0.
I have plans for such things on 2.1 but will see.

Ozzik

ermal, so will it be too much asking to include this in the release?

rcfa

@Ozzik:

@roi: yes.
Here's how you do it:

1. After installing pfSense connect by SSH or from the console choose 12) pfSense Developer Shell.
Type: playback gitsync. After it finishes installing all the needed packages type http://gitweb.pfsense.org/pfsense/gnhb-clone.git and answer yes to all questions or just press enter. Reboot.
After that you may also want to go to System->Firmware and add this link permanently (this section will be shown only after the first gitsync and reboot). This way it will sync after every upgrade.

How does this interfere with regular updates, e.g. the nightly builds, etc.?
If I follow these instructions, will I end up on a forked path, or remain on the regular releases just with some extra stuff installed, akin to installing an optional package?

Thanks!

Ozzik

Good question.

xbipin

@ermal:

xbipin,

if you create the pptp as an OPTx interface it will try connecting until it can. But really it cannot be supported on 2.0.
I have plans for such things on 2.1 but will see.

after playing a lot by creating opt1 interfaces etc i figured it wouldnt be possible but like u said by creating an opt1 interface, i tried that but it never worked nor any log generated at all so i was thinking it might be broken.

would it be possible to do this in 2.0 if ppl contributed for it as a bounty

eri--

I think it IS too late for 2.0.
But really is not hard because now you can update the firmware images and checkout a branch of your will directly from GUI.
Look at Updater-Settings under system->Firmware

So you have to wait for this since really there need to be something under the hood to better support this than its done now.

Loke

@Ozzik:

gnhb, ermal, sevet, Micky, Loke - you're the best!

It works great now. The only two questions I have left are:
1. Will these changes make it into 2.0 release? or will we have to manually make the changes?
2. It seems that from our ISP's point of view - there's no need for PPTP if you can do L2TP. But I can't speak for others. I think that in Russia they still need that option. Maybe it would be a good idea to try and find out why it keeps on disconnecting every few seconds?

Thanks a lot!

Ozzik, it's already included in the last builds. But you noticed this right? :) So no changes needed for DHCP+L2TP to work. The only thing need to be done is make possible to set hostname (not IP) as L2TP server. As for PPTP, it's not very popular now. In Russian/Ukraine the biggest provider is Beeline. They use L2TP instead of PPTP now in almost all areas they cover. Yes, it's still needed by some people, but speed and stability of PPTP is really bad (reason they use L2TP now). If i'd had possibility to connect to my provider by PPTP i'd try to see what's the problem, but i don't and i have no free hardware to set-up my own PPTP test server now. I hope left problems will be eliminated in final build, but i'm very happy because this feature already included so i don't need to merge it manually in every new build. ;D

This will not be excluded from the final 2.0 right? ;D

Ozzik

Loke, are you sure? Do you see a checkbox "Enable DHCP+L2TP or DHCP+PPTP."?
Besides, the ability to enter the ISP's hostname instead of the IP is a big deal.

Loke

@Ozzik:

Loke, are you sure? Do you see a checkbox "Enable DHCP+L2TP or DHCP+PPTP."?
Besides, the ability to enter the ISP's hostname instead of the IP is a big deal.

You don't need a checkbox "Enable DHCP+L2TP or DHCP+PPTP." to really use this feature, but if you want it, you can uncomment few lines in intefaces.php
You just need to set your WAN interface as L2TP and that's all. If you want to see both interfaces (L2TP and DHCP) you just need to add OPT interface and set it up like DHCP.
It will look like this.

zetlaw

Hi Guyz im from israel using pfsense for few years now.
at the last month i started using pfsense in in my work for a router to my servers.
i connected using HOT and bezeqint in L2TP connection i did the instruction on that thread which created OPT1 Interface (L2TP) and WAN (what i recive from the modem) internet in working and default routing is configured to OPT1  but i have 1 problem that i cannot define Inbound NAT i have an exchange server on 192.168.230.1 and my LAN port is set to 192.168.230.5  in Nat : Port forwording like the picture.
and cant seems to open that port from outside computer i cant get to one of the opened ports
in the picture you see exchange (that an alias to 192.168.230.1) and mailServer it's and alias for (25,80,443,51)

i hope someone can try helping me to solve it.
thanks

Ozzik

did u check the firewall rule?

zetlaw

@Ozzik:

did u check the firewall rule?

what should be on a firewall rule ?
the NAT automaticlly Create a Firewall rule

Ozzik

well, then I guess it's fine (it should allow from any to Exchange on any port -TCP/UDP) on OPT1 interface.
what's with the LAN port? Do u mean the LAN interface?

zetlaw

@Ozzik:

well, then I guess it's fine (it should allow from any to Exchange on any port -TCP/UDP) on OPT1 interface.
what's with the LAN port? Do u mean the LAN interface?

Yea i mean lan interface

Ozzik

so how come you're accessing web gui through 230.7?

zetlaw

firewall rules SS

zetlaw

@Ozzik:

so how come you're accessing web gui through 230.7?

funny me :-)
iwas wrong im on 230.7 :-)

230.5 is connected using the same MODEM but in dial up gets a different IP

because i want the exchange to use different external IP than the office computers