Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot filter traffic from L2TP clients

    IPsec
    1
    1
    773
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SergeCaron
      last edited by

      Version : 2.3.2-RELEASE (amd64)  built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5

      I have a L2TP/IPSEC VPN on which I want to restrict traffic from L2TP clients to certain hosts on the LAN.

      Before I go into any details, please note that the “Diagnostics / Packet Capture” does NOT allow packet capture from the L2TP interface and that logging actual packets processed in the L2TP tunnel is rather limited as explained here: https://forum.pfsense.org/index.php?topic=119153.0.

      If you setup such a VPN properly, you will find that a “pass all” rule in the “Firewall / Rules / L2TP VPN” tab will NEVER register any traffic going through that rule. The “States” column will always read “0/0 B” regardless how much traffic goes through the tunnel.

      In fact, you can successfully operate the tunnel (and NAT to the Internet) without ANY rules in the “Firewall / Rules / L2TP VPN”.

      All you need to operate the VPN are two FLOATING rules in the OUT direction for the “L2TP VPN” interface:

      Protocol              Source  Port      Destination        Port      Gateway            Queue      Schedule            Description
      Pass&Log            IPv4 *                  *            *            *            *            *            none                                                          Secret Rule
      Pass&Log            IPv4 TCP              *            *            *            *            *            none                                                          Redundant Secret Rule

      where both rules have “TCP Flags” set to “any” and “State Type” set to “Sloppy”.

      Needless to say, you could prevent returning traffic to go to the L2TP client but you can’t prevent the L2TP client from reaching out anything accessible on the LAN or the WAN.

      You can reproduce this setup at will using a simple network structure:
      -        LAN address 10.10.10.1/24
      -        L2TP default gateway at 10.10.10.215
      -        L2TP client subnet: 10.10.10.216/29
      -        WAN is any static address in my tests.

      With this, you can nmap the L2TP gateway at 10.10.10.215 to make sure that the LAN is visible to local and remote hosts. However, the L2TP traffic going INTO the LAN is not filtered by any rule on the LAN tab (and there are none from the L2TP VPN tab). This traffic goes through pfSense without any restriction.

      Can this be fixed?

      Regards,

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.