Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to setup L2tp server on Pfsense box behind ISP ONT

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cenriq
      last edited by

      Hi all,

      I am trying to setup a L2TP server on my Pfsense box connected behind my ISP's ONT. I have forwarded ports 500, 4500 and 1701 to the WAN IP of the Pfsense box. I also followed the docs for setting up  the L2TP server on Pfsense (ver 2.3.4 I386). When I check to see if the forwarded ports are open, it say that the are not. The appropriate firewall rules were created.

      I had also changed the port of the WebUI for remote access and did a port forwarding through the ONT for it. I can access it remotely.

      I don't see any rule being created on the WAN interface to allow the L2TP server to work. A separate tab(L2TP server) was created with an allow all rule.

      Is there something I am missing?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Given that you're forwarding 500 and 4500 I assume you're actually trying to do L2TP over IPSec?

        Did you follow this?: https://doc.pfsense.org/index.php/L2TP/IPsec

        Do you see blocked traffic in the firewall log when you try to connect?

        Steve

        1 Reply Last reply Reply Quote 0
        • C
          cenriq
          last edited by

          No I just wanted to set up a pure L2TP connection, but when I wasn't getting it working I added those ports.  I can now connect to my VPN. However I can not connect to anything behind the box. My LAN is configured with a network address of 192.168.12.0, but the VPN address is 192.168.30.1. I don't see anything in the routing table to reach from one network to the other.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            No routes in the pfSense routing table or at the client?

            You realise L2TP is not by itself encrypted?

            Steve

            1 Reply Last reply Reply Quote 0
            • C
              cenriq
              last edited by

              Ok, in Diagnostic/Routes I see an entry for 192.168.30.1(the address of the VPN gateway) and one for 192.168.30.128(the address of the VPN client). My Firewall rule is set to destination "any". I even tried setting the destination to LAN net, but that didn't make any difference. I seems to be a routing problem.

              I can connect through the VPN to the WebUI of the Box.

              I am aware the pure L2TP is un-encrypted.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Can we see screenshots of your setup?

                Are you able to pig the VPN gateway address from the client? Or any other IP on the firewall itself?

                Steve

                1 Reply Last reply Reply Quote 0
                • C
                  cenriq
                  last edited by

                  As I had mentioned before I connect to the VPN and connect to WebUI of the box using the IP address of the VPN gateway. I can ping the IP address of the VPN gateway(192.168.30.1), but cannot ping any other address on the box. Screenshots of what sections do you need to see?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    If you can't ping other interface IPs on the firewall then it's almost certainly a missing route at the client. Since pSense will always have a route back to the client and you have already added a pass all firewall rule to the l2tp interface.
                    Is the client using the L2TP connection as it's default route?

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • C
                      cenriq
                      last edited by

                      Thanks for your continued response.

                      The client is not using the L2tp connection as it default route. Is there anywhere in Pfsense to add this route?

                      I had used this client to connect to other L2tp servers before, not Pfsense though, and it worked as expected, is, I was able to connect to resources behind the L2tp sever router.

                      1 Reply Last reply Reply Quote 0
                      • C
                        cenriq
                        last edited by

                        Ok I figured it out. Indeed the problem was a routing issue. I

                        I first added a route in my VPN Client software(Draytek Smart VPN client) andnoted that it worked . I could have connected to resources behind the Pfsense box.

                        Since that worked I furgured that I'd try to reconfigure the  VPN Server. I put the IP address of the VPN server withe the same network as the LAN( 192.168.12.2). That did the trick.

                        Thanks for your support.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.