Trying to setup L2tp server on Pfsense box behind ISP ONT
-
Hi all,
I am trying to setup a L2TP server on my Pfsense box connected behind my ISP's ONT. I have forwarded ports 500, 4500 and 1701 to the WAN IP of the Pfsense box. I also followed the docs for setting up the L2TP server on Pfsense (ver 2.3.4 I386). When I check to see if the forwarded ports are open, it say that the are not. The appropriate firewall rules were created.
I had also changed the port of the WebUI for remote access and did a port forwarding through the ONT for it. I can access it remotely.
I don't see any rule being created on the WAN interface to allow the L2TP server to work. A separate tab(L2TP server) was created with an allow all rule.
Is there something I am missing?
-
Given that you're forwarding 500 and 4500 I assume you're actually trying to do L2TP over IPSec?
Did you follow this?: https://doc.pfsense.org/index.php/L2TP/IPsec
Do you see blocked traffic in the firewall log when you try to connect?
Steve
-
No I just wanted to set up a pure L2TP connection, but when I wasn't getting it working I added those ports. I can now connect to my VPN. However I can not connect to anything behind the box. My LAN is configured with a network address of 192.168.12.0, but the VPN address is 192.168.30.1. I don't see anything in the routing table to reach from one network to the other.
-
No routes in the pfSense routing table or at the client?
You realise L2TP is not by itself encrypted?
Steve
-
Ok, in Diagnostic/Routes I see an entry for 192.168.30.1(the address of the VPN gateway) and one for 192.168.30.128(the address of the VPN client). My Firewall rule is set to destination "any". I even tried setting the destination to LAN net, but that didn't make any difference. I seems to be a routing problem.
I can connect through the VPN to the WebUI of the Box.
I am aware the pure L2TP is un-encrypted.
-
Can we see screenshots of your setup?
Are you able to pig the VPN gateway address from the client? Or any other IP on the firewall itself?
Steve
-
As I had mentioned before I connect to the VPN and connect to WebUI of the box using the IP address of the VPN gateway. I can ping the IP address of the VPN gateway(192.168.30.1), but cannot ping any other address on the box. Screenshots of what sections do you need to see?
-
If you can't ping other interface IPs on the firewall then it's almost certainly a missing route at the client. Since pSense will always have a route back to the client and you have already added a pass all firewall rule to the l2tp interface.
Is the client using the L2TP connection as it's default route?Steve
-
Thanks for your continued response.
The client is not using the L2tp connection as it default route. Is there anywhere in Pfsense to add this route?
I had used this client to connect to other L2tp servers before, not Pfsense though, and it worked as expected, is, I was able to connect to resources behind the L2tp sever router.
-
Ok I figured it out. Indeed the problem was a routing issue. I
I first added a route in my VPN Client software(Draytek Smart VPN client) andnoted that it worked . I could have connected to resources behind the Pfsense box.
Since that worked I furgured that I'd try to reconfigure the VPN Server. I put the IP address of the VPN server withe the same network as the LAN( 192.168.12.2). That did the trick.
Thanks for your support.
