Cannot filter traffic from L2TP clients
Version : 2.3.2-RELEASE (amd64) built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5
I have a L2TP/IPSEC VPN on which I want to restrict traffic from L2TP clients to certain hosts on the LAN.
Before I go into any details, please note that the “Diagnostics / Packet Capture” does NOT allow packet capture from the L2TP interface and that logging actual packets processed in the L2TP tunnel is rather limited as explained here: https://forum.pfsense.org/index.php?topic=119153.0.
If you setup such a VPN properly, you will find that a “pass all” rule in the “Firewall / Rules / L2TP VPN” tab will NEVER register any traffic going through that rule. The “States” column will always read “0/0 B” regardless how much traffic goes through the tunnel.
In fact, you can successfully operate the tunnel (and NAT to the Internet) without ANY rules in the “Firewall / Rules / L2TP VPN”.
All you need to operate the VPN are two FLOATING rules in the OUT direction for the “L2TP VPN” interface:
Protocol Source Port Destination Port Gateway Queue Schedule Description
Pass&Log IPv4 * * * * * * none Secret Rule
Pass&Log IPv4 TCP * * * * * none Redundant Secret Rule
where both rules have “TCP Flags” set to “any” and “State Type” set to “Sloppy”.
Needless to say, you could prevent returning traffic to go to the L2TP client but you can’t prevent the L2TP client from reaching out anything accessible on the LAN or the WAN.
You can reproduce this setup at will using a simple network structure:
- LAN address 10.10.10.1/24
- L2TP default gateway at 10.10.10.215
- L2TP client subnet: 10.10.10.216/29
- WAN is any static address in my tests.
With this, you can nmap the L2TP gateway at 10.10.10.215 to make sure that the LAN is visible to local and remote hosts. However, the L2TP traffic going INTO the LAN is not filtered by any rule on the LAN tab (and there are none from the L2TP VPN tab). This traffic goes through pfSense without any restriction.
Can this be fixed?