Multi-WAN + 2 simultaneous L2TP tunnels via each of WAN interfaces



  • https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN - this how-to works fine for me. But I can't get success with same setup using L2TP (it's much better for OSPF than OpenVPN). Tcpdump shows incoming packets on second WAN but replies are flying out via first WAN (via default gateway). I see one difference: OpenVPN is completely userspace while l2tp is in kernel (netgraph).

    Questions:
    1. Is it possible to setup 2 simultaneous L2TP tunnels to pfSense via each of WAN interfaces?
    2. Is there any sense in "Interface" setting of L2TP (can't see any references to physical interfaces in mpd's configs and mpd listens on *:1701)?

    Thanks in advance.



  • Seems like issue can be solved - https://redmine.pfsense.org/issues/4830. In fact this is probllem:

    2. Is there any sense in "Interface" setting of L2TP (can't see any references to physical interfaces in mpd's configs and mpd listens on *:1701)?



  • So, this works with pfSenses:
    1. pfSense in head office (HO) with 2 ISPs. L2TP server listens on LAN IP (patch here https://redmine.pfsense.org/issues/4830), RDR rules for udp/1701 from WAN1 to LAN and from WAN2 to LAN.
    2. pfSense in branch office (BO) with 1 ISP. Two L2TP clients: first one connects to WAN1 IP of HO, another one connects to WAN2 IP of BO. Each tunnel works fine.
    3. OSPF on top of it.

    Two problems:

    1. mpd5 in pfSense choses random source port while connecting to L2TP, but in microtik (RouterOS) each L2TP client strictly uses 1701 as source port. It seems like mpd5 can't understand that he is dealing with two clients connecting from same port/IP.
    2. It's much easier to have two (or more) L2TP servers to setup different OSPF costs for interfaces (i.e. first L2TP server for "main" tunnels and second L2TP server for "failover" ones).

    I want to see ability to run multiple L2TP servers on pfSense, it should solve both problems.

    P.S. Mikrotik routers is functional and cheap. Another desire to be able to run pfSense on top of such cheap HW ))))))



  • @Taras:

    So, this works with pfSenses:
    1. pfSense in head office (HO) with 2 ISPs. L2TP server listens on LAN IP (patch here https://redmine.pfsense.org/issues/4830), RDR rules for udp/1701 from WAN1 to LAN and from WAN2 to LAN.
    2. pfSense in branch office (BO) with 1 ISP. Two L2TP clients: first one connects to WAN1 IP of HO, another one connects to WAN2 IP of BO. Each tunnel works fine.
    3. OSPF on top of it.

    Two problems:

    1. mpd5 in pfSense choses random source port while connecting to L2TP, but in mikrotik (RouterOS) each L2TP client strictly uses 1701 as source port. It seems like mpd5 can't understand that he is dealing with two clients connecting from same port/IP.
    2. It's much easier to have two (or more) L2TP servers to setup different OSPF costs for interfaces (i.e. first L2TP server for "main" tunnels and second L2TP server for "failover" ones).

    I want to see ability to run multiple L2TP servers on pfSense, it should solve both problems.

    P.S. Mikrotik routers is functional and cheap. Another desire to be able to run pfSense on top of such cheap HW ))))))

    (1) seems to be solved in mikrotik:
    Mark L2TP packets flying from BO's mikrotik to HO pfSense's WAN1 IP:

    [admin@MikroTik] > /ip firewall mangle print
    Flags: X - disabled, I - invalid, D - dynamic 
     0    chain=output action=mark-packet new-packet-mark=l2tp passthrough=yes protocol=udp dst-address= <ho pfsense's="" wan1="" ip="">dst-port=1701 log=no log-prefix=""</ho> 
    

    Change source port in L2TP packets:

    
    [admin@MikroTik] > /ip firewall nat print   
    Flags: X - disabled, I - invalid, D - dynamic 
     0    chain=srcnat action=src-nat to-ports=1702 protocol=udp packet-mark=l2tp log=no 
    
     1    ;;; default configuration
          chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 
    
    

Log in to reply