Cannot filter traffic from L2TP clients



  • Version : 2.3.2-RELEASE (amd64)  built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5

    I have a L2TP/IPSEC VPN on which I want to restrict traffic from L2TP clients to certain hosts on the LAN.

    Before I go into any details, please note that the “Diagnostics / Packet Capture” does NOT allow packet capture from the L2TP interface and that logging actual packets processed in the L2TP tunnel is rather limited as explained here: https://forum.pfsense.org/index.php?topic=119153.0.

    If you setup such a VPN properly, you will find that a “pass all” rule in the “Firewall / Rules / L2TP VPN” tab will NEVER register any traffic going through that rule. The “States” column will always read “0/0 B” regardless how much traffic goes through the tunnel.

    In fact, you can successfully operate the tunnel (and NAT to the Internet) without ANY rules in the “Firewall / Rules / L2TP VPN”.

    All you need to operate the VPN are two FLOATING rules in the OUT direction for the “L2TP VPN” interface:

    Protocol              Source  Port      Destination        Port      Gateway            Queue      Schedule            Description
    Pass&Log            IPv4 *                  *            *            *            *            *            none                                                          Secret Rule
    Pass&Log            IPv4 TCP              *            *            *            *            *            none                                                          Redundant Secret Rule

    where both rules have “TCP Flags” set to “any” and “State Type” set to “Sloppy”.

    Needless to say, you could prevent returning traffic to go to the L2TP client but you can’t prevent the L2TP client from reaching out anything accessible on the LAN or the WAN.

    You can reproduce this setup at will using a simple network structure:
    -        LAN address 10.10.10.1/24
    -        L2TP default gateway at 10.10.10.215
    -        L2TP client subnet: 10.10.10.216/29
    -        WAN is any static address in my tests.

    With this, you can nmap the L2TP gateway at 10.10.10.215 to make sure that the LAN is visible to local and remote hosts. However, the L2TP traffic going INTO the LAN is not filtered by any rule on the LAN tab (and there are none from the L2TP VPN tab). This traffic goes through pfSense without any restriction.

    Can this be fixed?

    Regards,


Log in to reply