Local LAN clients to communicate with L2TP VPN clients - possible?

bthoven

I have an LTE wifi router at a remote site. The ISP only provides CGNAT IP, a NAT IP, to the router. I, therefore, can't easily remote to the router and its clients. Though not very often, I have to access some devices behind the remote LTE router. How could I accomplish this?

As the router only provides L2TP client VPN, I have set up the L2TP VPN server on my pfsense. The remote router can connect to my pfSense without a problem, using ip 10.1.100.0/24.
However, I don't know what else I have to set up so that my desktop PC at home (on the same subnet as pfSense, ie., 192.168.2.0/24) can access a device behind the remote router, or even the router itself.

I know L2TP VPN is not secured, but I may need to do the remote access only a few times a year.

stephenw10

Is it actually plain L2TP or the more common L2TP over IPSec transport?

If the remote router is acting as a client directly you would not be able to access other hosts behind it without some sort of forwarding. pfSense will only see the single IP it pulls when it connects.

Steve

bthoven

@stephenw10 Thanks. Unfortunately it is just a plain l2tp.
When you said I need to port forward in order to access the devices behind the remote router (now as a vpn client), we do it on the remote router?

stephenw10

Yes, it would have to be on the remote router if it's pulling a single IP.

If you have access to what's behind the LTE uter I would look at using something else as a VPN client behind there. That would solve both issues.

Steve

bthoven

@stephenw10 Thanks. As of now I can't even connect my home PC to the remote router. What firewall setting on pfSense would allow me to do that?

stephenw10

L2TP is odd, there can be unexpected issues! It could be the router itself refuses connections from the LAN though. Are you able to ping it from pfSense?

bthoven

@stephenw10 yes, I can ping the router vpn address from pfSense.

stephenw10

Can you ping it from pfSense if you set the source to LAN?

Tunneling from something behind the LTE router would be a lot easier if that's something you can do.

Steve

bthoven

@stephenw10 said in Local LAN clients to communicate with L2TP VPN clients - possible?:

Can you ping it from pfSense if you set the source to LAN? No.

Tunneling from something behind the LTE router would be a lot easier if that's something you can do. (Unfortunately, my devices behind the routers are webcams and esp8266 boards.

Steve

stephenw10

Are you able to try connecting the other way, from one of those devices to pfSense or a host on the pfSense LAN?

It depends how the LTE modem is setup to handle the L2TP client. It may simply not be possible to connect to it inbound.

When you pinged the LTE router from pfSense was that using the L2TP IP or it's LAN side IP?

bthoven

@stephenw10 said in Local LAN clients to communicate with L2TP VPN clients - possible?:

Are you able to try connecting the other way, from one of those devices to pfSense or a host on the pfSense LAN? (Yes, my phone wifi connected to the router can ping hosts behind pfSense)

It depends how the LTE modem is setup to handle the L2TP client. It may simply not be possible to connect to it inbound. (The router L2TP gui has two modes, Global and Network mode. I don’t know the differences. For the network mode, it also asks for more input, e.g, Tunnel ip)

When you pinged the LTE router from pfSense was that using the L2TP IP or it's LAN side IP? (I can ping to L2TP IP, but can’t ping to the router LAN IP)

stephenw10

Hmm, so that seems like the LTE router is NATing traffic from hosts behind it across the L2TP which allows pfSense to reply to it.
It seems like you will probably need to use the 'network mode' so you probably first need to know exactly what that does.

Steve

bthoven

@stephenw10 Thanks again for your advice. It seems to be working now with the "Network" mode.

The "Network" mode on my remote router L2TP client setup allows me to specify remote Subnet IP, remote Subnet Mask, and custom tunnel IP. I specified my LAN subnet/mask (192.168.2.0/24), and left the custom tunnel IP blank.

On my remote router, I also set a port forwarding entry in order to allow me to access the remote devices, e.g. port 80--->10.1.1.1. port 80 (allowing me to access the remote router)

• now I can access the remote router from LAN PC with L2TP IP 10.1.100.130
• devices behind the remote router can't ping LAN devices behind pfSense (L2TP server) and pfSense itself (unless, I believe, I add a port forwarding entry for that device)

With all the above connections, I did not create any firewall rule for L2TP Client on pfSense. I created only a NAT rule to allow L2TP port (1701) so that L2TP client can connect to L2TP server on pfSense.

Though it is now working, I may not use this approach because of the insecured L2TP which also has to be online all the time.

What is your thought?

stephenw10

Nice. Yeah if it;s really just L2TP without IPSec then you really need to be aware of what's going across it. Leaving it enabled shouldn't really be a huge problem since only traffic from the configured remote site would ever be allowed.
I would still investigate using something other than the LTE router to terminate a VPN so you can use a real VPN if you can.

Steve