Trying to setup L2tp server on Pfsense box behind ISP ONT
I am trying to setup a L2TP server on my Pfsense box connected behind my ISP's ONT. I have forwarded ports 500, 4500 and 1701 to the WAN IP of the Pfsense box. I also followed the docs for setting up the L2TP server on Pfsense (ver 2.3.4 I386). When I check to see if the forwarded ports are open, it say that the are not. The appropriate firewall rules were created.
I had also changed the port of the WebUI for remote access and did a port forwarding through the ONT for it. I can access it remotely.
I don't see any rule being created on the WAN interface to allow the L2TP server to work. A separate tab(L2TP server) was created with an allow all rule.
Is there something I am missing?
Given that you're forwarding 500 and 4500 I assume you're actually trying to do L2TP over IPSec?
Did you follow this?: https://doc.pfsense.org/index.php/L2TP/IPsec
Do you see blocked traffic in the firewall log when you try to connect?
No I just wanted to set up a pure L2TP connection, but when I wasn't getting it working I added those ports. I can now connect to my VPN. However I can not connect to anything behind the box. My LAN is configured with a network address of 192.168.12.0, but the VPN address is 192.168.30.1. I don't see anything in the routing table to reach from one network to the other.
No routes in the pfSense routing table or at the client?
You realise L2TP is not by itself encrypted?
Ok, in Diagnostic/Routes I see an entry for 192.168.30.1(the address of the VPN gateway) and one for 192.168.30.128(the address of the VPN client). My Firewall rule is set to destination "any". I even tried setting the destination to LAN net, but that didn't make any difference. I seems to be a routing problem.
I can connect through the VPN to the WebUI of the Box.
I am aware the pure L2TP is un-encrypted.
Can we see screenshots of your setup?
Are you able to pig the VPN gateway address from the client? Or any other IP on the firewall itself?
As I had mentioned before I connect to the VPN and connect to WebUI of the box using the IP address of the VPN gateway. I can ping the IP address of the VPN gateway(192.168.30.1), but cannot ping any other address on the box. Screenshots of what sections do you need to see?
If you can't ping other interface IPs on the firewall then it's almost certainly a missing route at the client. Since pSense will always have a route back to the client and you have already added a pass all firewall rule to the l2tp interface.
Is the client using the L2TP connection as it's default route?
Thanks for your continued response.
The client is not using the L2tp connection as it default route. Is there anywhere in Pfsense to add this route?
I had used this client to connect to other L2tp servers before, not Pfsense though, and it worked as expected, is, I was able to connect to resources behind the L2tp sever router.
Ok I figured it out. Indeed the problem was a routing issue. I
I first added a route in my VPN Client software(Draytek Smart VPN client) andnoted that it worked . I could have connected to resources behind the Pfsense box.
Since that worked I furgured that I'd try to reconfigure the VPN Server. I put the IP address of the VPN server withe the same network as the LAN( 192.168.12.2). That did the trick.
Thanks for your support.