Trying to setup L2tp server on Pfsense box behind ISP ONT

  • Hi all,

    I am trying to setup a L2TP server on my Pfsense box connected behind my ISP's ONT. I have forwarded ports 500, 4500 and 1701 to the WAN IP of the Pfsense box. I also followed the docs for setting up  the L2TP server on Pfsense (ver 2.3.4 I386). When I check to see if the forwarded ports are open, it say that the are not. The appropriate firewall rules were created.

    I had also changed the port of the WebUI for remote access and did a port forwarding through the ONT for it. I can access it remotely.

    I don't see any rule being created on the WAN interface to allow the L2TP server to work. A separate tab(L2TP server) was created with an allow all rule.

    Is there something I am missing?

  • Netgate Administrator

    Given that you're forwarding 500 and 4500 I assume you're actually trying to do L2TP over IPSec?

    Did you follow this?:

    Do you see blocked traffic in the firewall log when you try to connect?


  • No I just wanted to set up a pure L2TP connection, but when I wasn't getting it working I added those ports.  I can now connect to my VPN. However I can not connect to anything behind the box. My LAN is configured with a network address of, but the VPN address is I don't see anything in the routing table to reach from one network to the other.

  • Netgate Administrator

    No routes in the pfSense routing table or at the client?

    You realise L2TP is not by itself encrypted?


  • Ok, in Diagnostic/Routes I see an entry for address of the VPN gateway) and one for address of the VPN client). My Firewall rule is set to destination "any". I even tried setting the destination to LAN net, but that didn't make any difference. I seems to be a routing problem.

    I can connect through the VPN to the WebUI of the Box.

    I am aware the pure L2TP is un-encrypted.

  • Netgate Administrator

    Can we see screenshots of your setup?

    Are you able to pig the VPN gateway address from the client? Or any other IP on the firewall itself?


  • As I had mentioned before I connect to the VPN and connect to WebUI of the box using the IP address of the VPN gateway. I can ping the IP address of the VPN gateway(, but cannot ping any other address on the box. Screenshots of what sections do you need to see?

  • Netgate Administrator

    If you can't ping other interface IPs on the firewall then it's almost certainly a missing route at the client. Since pSense will always have a route back to the client and you have already added a pass all firewall rule to the l2tp interface.
    Is the client using the L2TP connection as it's default route?


  • Thanks for your continued response.

    The client is not using the L2tp connection as it default route. Is there anywhere in Pfsense to add this route?

    I had used this client to connect to other L2tp servers before, not Pfsense though, and it worked as expected, is, I was able to connect to resources behind the L2tp sever router.

  • Ok I figured it out. Indeed the problem was a routing issue. I

    I first added a route in my VPN Client software(Draytek Smart VPN client) andnoted that it worked . I could have connected to resources behind the Pfsense box.

    Since that worked I furgured that I'd try to reconfigure the  VPN Server. I put the IP address of the VPN server withe the same network as the LAN( That did the trick.

    Thanks for your support.

Log in to reply