Split Tunnel with L2TP over IPSec in pfSense

  • Banned


    I configured L2TP over IPSEc in pfSense and was able to connect from a macOS built-in L2TP over IPSec Client to pfSense. However, only traffic to "Server address" specified in pfSense in VP N/ L2TP / Configuration gets inside the L2TP over IPSec tunnel; hence I can only ping that "Server address". The reason for this is that once the L2TP over IPSec tunnel connection is established from macOS, the only specific route that is installed in the macOS routing table that points out of the ppp0 interface is the route to the "Server address". There's also the default route that's installed in the macOS routing table that points out of the ppp0 interface, but that default route is listed second in the routing table. The first default route listed in the macOS routing table points to the active network interface configured in macOS. Because of the way routing is done in macOS, only the first default route is used when the interface that it points out of is active.

    In order to be able to send traffic from the macOS host connected to pfSense via the L2TP over IPSec tunnel to any host located off pfSense LAN interface (or to the IP of the pfSense LAN interface itself), I had to select the "Send all traffic over VPN connection" check box in the macOS L2TP over IPSec client. This results in the default pointing out of the ppp0 interface in the macOS routing table be placed first on the list of default routes, and therefore, all traffic is routed across the VPN connection. This, however, results in the phenomenon that macOS generated traffic that is bound to the Internet has to first arrive in pfSense, be decapsulated from IPSec and then from L2TP, and only then be routed out of the pfSense WAN interface to the Internet.

    So, is there a way to configure in pfSense specific subnets to which traffic should be routed by the L2TP over IPSec client into the tunnel, so that routes to these subnets are installed in the macOS routing table to point out of the ppp0 interface and so that traffic to all other networks is routed by macOS outside of the L2TP tunnel – directly out of the MacOS active network interface unencrypted and unencapsulated?

    Thank you.

  • Rebel Alliance Developer Netgate

    No, there is no mechanism in L2TP for this – It's 100% up to the client. You can probably script some routing to happen on connect on the client side, but the firewall (or any L2TP server) can't send routes.