Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-WAN + 2 simultaneous L2TP tunnels via each of WAN interfaces

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 1 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Taras_
      last edited by

      https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN - this how-to works fine for me. But I can't get success with same setup using L2TP (it's much better for OSPF than OpenVPN). Tcpdump shows incoming packets on second WAN but replies are flying out via first WAN (via default gateway). I see one difference: OpenVPN is completely userspace while l2tp is in kernel (netgraph).

      Questions:
      1. Is it possible to setup 2 simultaneous L2TP tunnels to pfSense via each of WAN interfaces?
      2. Is there any sense in "Interface" setting of L2TP (can't see any references to physical interfaces in mpd's configs and mpd listens on *:1701)?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • T
        Taras_
        last edited by

        Seems like issue can be solved - https://redmine.pfsense.org/issues/4830. In fact this is probllem:

        2. Is there any sense in "Interface" setting of L2TP (can't see any references to physical interfaces in mpd's configs and mpd listens on *:1701)?

        1 Reply Last reply Reply Quote 0
        • T
          Taras_
          last edited by

          So, this works with pfSenses:
          1. pfSense in head office (HO) with 2 ISPs. L2TP server listens on LAN IP (patch here https://redmine.pfsense.org/issues/4830), RDR rules for udp/1701 from WAN1 to LAN and from WAN2 to LAN.
          2. pfSense in branch office (BO) with 1 ISP. Two L2TP clients: first one connects to WAN1 IP of HO, another one connects to WAN2 IP of BO. Each tunnel works fine.
          3. OSPF on top of it.

          Two problems:

          1. mpd5 in pfSense choses random source port while connecting to L2TP, but in microtik (RouterOS) each L2TP client strictly uses 1701 as source port. It seems like mpd5 can't understand that he is dealing with two clients connecting from same port/IP.
          2. It's much easier to have two (or more) L2TP servers to setup different OSPF costs for interfaces (i.e. first L2TP server for "main" tunnels and second L2TP server for "failover" ones).

          I want to see ability to run multiple L2TP servers on pfSense, it should solve both problems.

          P.S. Mikrotik routers is functional and cheap. Another desire to be able to run pfSense on top of such cheap HW ))))))

          1 Reply Last reply Reply Quote 0
          • T
            Taras_
            last edited by

            @Taras:

            So, this works with pfSenses:
            1. pfSense in head office (HO) with 2 ISPs. L2TP server listens on LAN IP (patch here https://redmine.pfsense.org/issues/4830), RDR rules for udp/1701 from WAN1 to LAN and from WAN2 to LAN.
            2. pfSense in branch office (BO) with 1 ISP. Two L2TP clients: first one connects to WAN1 IP of HO, another one connects to WAN2 IP of BO. Each tunnel works fine.
            3. OSPF on top of it.

            Two problems:

            1. mpd5 in pfSense choses random source port while connecting to L2TP, but in mikrotik (RouterOS) each L2TP client strictly uses 1701 as source port. It seems like mpd5 can't understand that he is dealing with two clients connecting from same port/IP.
            2. It's much easier to have two (or more) L2TP servers to setup different OSPF costs for interfaces (i.e. first L2TP server for "main" tunnels and second L2TP server for "failover" ones).

            I want to see ability to run multiple L2TP servers on pfSense, it should solve both problems.

            P.S. Mikrotik routers is functional and cheap. Another desire to be able to run pfSense on top of such cheap HW ))))))

            (1) seems to be solved in mikrotik:
            Mark L2TP packets flying from BO's mikrotik to HO pfSense's WAN1 IP:

            [admin@MikroTik] > /ip firewall mangle print
            Flags: X - disabled, I - invalid, D - dynamic 
             0    chain=output action=mark-packet new-packet-mark=l2tp passthrough=yes protocol=udp dst-address= <ho pfsense's="" wan1="" ip="">dst-port=1701 log=no log-prefix=""</ho> 
            

            Change source port in L2TP packets:

            
            [admin@MikroTik] > /ip firewall nat print   
            Flags: X - disabled, I - invalid, D - dynamic 
             0    chain=srcnat action=src-nat to-ports=1702 protocol=udp packet-mark=l2tp log=no 
            
             1    ;;; default configuration
                  chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 
            
            
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.