Trying to setup L2tp server on Pfsense box behind ISP ONT



  • Hi all,

    I am trying to setup a L2TP server on my Pfsense box connected behind my ISP's ONT. I have forwarded ports 500, 4500 and 1701 to the WAN IP of the Pfsense box. I also followed the docs for setting up  the L2TP server on Pfsense (ver 2.3.4 I386). When I check to see if the forwarded ports are open, it say that the are not. The appropriate firewall rules were created.

    I had also changed the port of the WebUI for remote access and did a port forwarding through the ONT for it. I can access it remotely.

    I don't see any rule being created on the WAN interface to allow the L2TP server to work. A separate tab(L2TP server) was created with an allow all rule.

    Is there something I am missing?


  • Netgate Administrator

    Given that you're forwarding 500 and 4500 I assume you're actually trying to do L2TP over IPSec?

    Did you follow this?: https://doc.pfsense.org/index.php/L2TP/IPsec

    Do you see blocked traffic in the firewall log when you try to connect?

    Steve



  • No I just wanted to set up a pure L2TP connection, but when I wasn't getting it working I added those ports.  I can now connect to my VPN. However I can not connect to anything behind the box. My LAN is configured with a network address of 192.168.12.0, but the VPN address is 192.168.30.1. I don't see anything in the routing table to reach from one network to the other.


  • Netgate Administrator

    No routes in the pfSense routing table or at the client?

    You realise L2TP is not by itself encrypted?

    Steve



  • Ok, in Diagnostic/Routes I see an entry for 192.168.30.1(the address of the VPN gateway) and one for 192.168.30.128(the address of the VPN client). My Firewall rule is set to destination "any". I even tried setting the destination to LAN net, but that didn't make any difference. I seems to be a routing problem.

    I can connect through the VPN to the WebUI of the Box.

    I am aware the pure L2TP is un-encrypted.


  • Netgate Administrator

    Can we see screenshots of your setup?

    Are you able to pig the VPN gateway address from the client? Or any other IP on the firewall itself?

    Steve



  • As I had mentioned before I connect to the VPN and connect to WebUI of the box using the IP address of the VPN gateway. I can ping the IP address of the VPN gateway(192.168.30.1), but cannot ping any other address on the box. Screenshots of what sections do you need to see?


  • Netgate Administrator

    If you can't ping other interface IPs on the firewall then it's almost certainly a missing route at the client. Since pSense will always have a route back to the client and you have already added a pass all firewall rule to the l2tp interface.
    Is the client using the L2TP connection as it's default route?

    Steve



  • Thanks for your continued response.

    The client is not using the L2tp connection as it default route. Is there anywhere in Pfsense to add this route?

    I had used this client to connect to other L2tp servers before, not Pfsense though, and it worked as expected, is, I was able to connect to resources behind the L2tp sever router.



  • Ok I figured it out. Indeed the problem was a routing issue. I

    I first added a route in my VPN Client software(Draytek Smart VPN client) andnoted that it worked . I could have connected to resources behind the Pfsense box.

    Since that worked I furgured that I'd try to reconfigure the  VPN Server. I put the IP address of the VPN server withe the same network as the LAN( 192.168.12.2). That did the trick.

    Thanks for your support.