New Member
Posts: 5
Registered: ‎06-26-2014
Accepted Solution

L2TP VPn

I am new to Ubiquity and having some problems navigating the CLI and the GUI due to some differences in terminology.  Just need to pick a brain or two.

I was reading this wiki page:  http://wiki.ubnt.com/L2TP_Remote_Access_-_CLI_Commands

And came across this information:

The remote users will be trying to establish a L2TP session with the server running on the router, so for the local firewall rule, we must allow the following:

  • IKE - UDP port 500
  • L2TP - UDP port 1701
  • ESP - protocol 50
  • NAT-T - UDP port 4500 (if using NAT-T)

Local Firewall means what?

When he says allow I am not entirely sure how to allow ports in the GUI or CLI.  The setup is very basic.  Really, what I am saying is that this has exceeded my reach and I need a little help setting up the firewall rules for a L2TP VPN.  Thanks for reading.

---------------------------------------

Config (Sanitized)

firewall {
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
group {
address-group AddressGroup1 {
description "Address Group 1"
}
network-group NetworkGroup1 {
description "Network Group 1"
}
port-group PortGroup1 {
description "Port Group 1"
port 80
port 443
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name Inside {
default-action accept
description Inside
}
name Outside {
default-action drop
description Outside
rule 1 {
action accept
description "Allow Remote Manage 80"
log disable
protocol 80
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address ***.***.***.***/**
description Outside
ip {
enable-proxy-arp
}
}
ethernet eth1 {
address 10.10.10.1/24
description Inside10
}
ethernet eth2 {
address 192.168.1.1/24
description Inside192
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
shared-network-name eth1DHCP {
authoritative disable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 10.10.10.100 {
stop 10.10.10.200
}
}
}
shared-network-name eth2DHCP {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.1.100 {
stop 192.168.1.200
}
}
}
}
gui {
https-port 443
}
nat {
rule 1 {
description "Port Forwarding "
destination {
address
port 100
}
disable
inbound-interface eth0
inside-address {
address 192.168.1.13
port 100
}
log enable
protocol tcp_udp
type destination
}
rule 5001 {
description "NAT Out"
log disable
outbound-interface eth0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address
host-name ****
login {
user corenets {
authentication {
encrypted-password ****
plaintext-password ""
}
full-name "****"
level admin
}
user ubnt {
authentication {
encrypted-password ****
plaintext-password ""
}
full-name ubnt
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
pptp {
remote-access {
authentication {
local-users {
username corenets {
password ****
}
username fox {
password ****
}
}
mode local
}
client-ip-pool {
start 10.10.10.230
stop 10.10.10.240
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
mtu 1500
outside-address ****
}
}
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.0.2.4507738.121107.1250 */


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: L2TP VPn

Yeah if you don't set anything for the IP address for example, that would be basically "ANY". For example, you can add four rules (one for each of those listed) in the WAN_LOCAL ruleset. Note that ESP is a protocol, not a "port". The other three are destination ports and protocol UDP should be selected for those rules as well.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: L2TP VPn

Actually the posted config doesn't apply any firewall rules to traffic, so there is no need to open anything (since nothing is blocked). This is OK for testing but obviously not recommended for production. One way to set up the firewall is to use the setup wizard in the Web UI, which will set up basic firewall and then you can modify the settings from there. For example it will set up a WAN_LOCAL ruleset where you can then add rules to allow those ports for VPN connections (these can be done in the GUI).

New Member
Posts: 5
Registered: ‎06-26-2014

Re: L2TP VPn

Okay.  I have run the wizard.  It setup what looks like stateful inspection using a WAN_IN and WAN_LOCAL ruleset.  The source tab ask for information.  Is there anyway to indicate "ANY" for the IP address?  So that the user can VPN in from any location.  It is a bit confusing.  I have three tabs (Advanced/Source/Destination) asking for port information.  Perhaps I am over thinking this.  I have to open those 4 ports for VPN but I am not sure how to.  

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: L2TP VPn

Yeah if you don't set anything for the IP address for example, that would be basically "ANY". For example, you can add four rules (one for each of those listed) in the WAN_LOCAL ruleset. Note that ESP is a protocol, not a "port". The other three are destination ports and protocol UDP should be selected for those rules as well.

Highlighted
New Member
Posts: 5
Registered: ‎06-26-2014

Re: L2TP VPn

[ Edited ]

So even thought ESP runs over port 50 I set it up as a protocol?  How do I do that?

*EDIT*

Nevermind.  I see it.  Thanks for all the help.