2022-11-20 21:17:25 +01:00
title = "HAMnet on the pfSense"
summary = """A short guide on how I installed my L2TP tunnel on my
router/firewall. Routes get announced to new DHCP clients."""
date = "2022-11-21T20:13:08+01:00"
#lastmod = ""
categories = ["amateur-radio"]
tags = ["hamnet","pfSense","networking","linux"]
The usual approach to connect your computer to the
<abbr title="Highspeed Amateurradio Multimedia NETwork">HAMNET</abbr> is to
create a <abbr title="Virtual Private Network">VPN</abbr> tunnel using
<abbr title="Point-to-Point Tunneling Protocol">PPTP</abbr>. Most of recent
operating systems stopped supporting this protocol because it is outdated and
In my recent
[post about HAMNET]({{< ref "2022-10-16-vpn-tunnel-into-hamnet-on-fedora-36" >}})
I created an <abbr title="Layer 2 Tunneling Protocol">L2TP</abbr> tunnel to the
german VPN Server at the RWTH Aachen University on my laptop. Routes have been
2022-12-05 22:32:44 +01:00
added manually---the network was only available on this particular computer.
No other device was able to connect to the HAMNET.
2022-11-20 21:17:25 +01:00
Now I made some changes to my home network where I finally was able to create
the tunnel on my main router/firewall.
## Creating a new <abbr title="Point-to-Point Protocol">PPP</abbr> device
Select <kbd>Interfaces</kbd> → <kbd>Assignments</kbd> → <kbd>PPPs</kbd>

Click on the green <kbd>+ Add</kbd> button on the bottom right and create the
new PPP interface with the following specs:
| Settings name | value |
| :--- | :--- |
| Link Type | **L2TP** |
| Link interface(s) | **WAN** |
| Username | **N0CALL** (your callsign usually) |
| Password | (your password) |
| Local IP | (leave empty) |
| Gateway IP or hostname | **vpn.afu.rwth-aachen.de** |
2022-12-05 22:32:44 +01:00
<!-- You can change `vpn.afu.rwth-aachen.de` with the IP address of the server if you
2022-11-20 21:17:25 +01:00
like. That may help if you don't have a working DNS setup in your network. At the
2022-12-05 22:32:44 +01:00
moment the DNS entry points to ``. -->
2022-11-20 21:17:25 +01:00

## Create a new L2TP device

My screenshot looks a bit different because I have already assigned the
interface. You should see the option <kbd>Available network ports</kbd> in the
last row combined with a green <kbd>+ Add</kbd> button on the right side (just
below the red buttons). Select the newly created L2TP interface (which should
look like `L2TP (igb0) - HAMNET_VPN` -- or something like that) and click the
green button.
Then click on the new interface and set it up.
| Settings name | value |
| :--- | :--- |
| Description | **VPN_HAMNET** (a meaningful description) |
| IPv4 Configuration Type | **L2TP** |
| IPv6 Configuration Type | **None** (or SLAAC if you use IPv6) |
| Username | **N0CALL** (your callsign usually) |
| Password | (your password) |
| Remote IP address | **vpn.afu.rwth-aachen.de** |

## Add static routes on the firewall/router
Click on the green <kbd>+ Add</kbd> button on the bottom right. Add the
networks `` and `` to the list; use the interface from
above as the gateway.

## The tunnel should be up and running
Go to <kbd>Status</kbd> → <kbd>Gateways</kbd> and look if it is online.

## Send this routing configuration to DHCP clients
We can send this configuration to DHCP clients when they get their IP address.
Go to <kbd>Services</kbd> → <kbd>DHCP Server</kbd> and select the interface
that you want to configure with these routes. Then scroll down to the section
<kbd>Other Options</kbd> and look for the last setting
<kbd>Additional BOOTP/DHCP Options</kbd>. Those settings are hidden per default,
so click on <kbd>Display Advanced</kbd>. Below you can now enter the additional
You see three fields, <kbd>Number</kbd>, <kbd>Type</kbd> and <kbd>Value</kbd>.
| Number | Type | Value |
| :--- | :--- | :--- |
| `121` | `String` | `09:2c:00:c0:a8:0a:01:0a:2c:80:c0:a8:0a:01` |
{{< alert >}}
Do not copy this configuration into your pfSense. This setting is somewhat
encoded and routes the HAMNET IPs to my routers IP address. You have to create
your own configuration!
{{< /alert >}}
Create your own configuration with help of this script:
local n=0 val=1
for i in ${1//./ }; do
[ $i -lt 0 -o $i -gt 255 ] && val=0
[ $n -ne 4 ] && val=0
if [ $val -ne 1 ] ; then
echo "Invalid IP: $1" >&2
exit 1
local BIN=({0..1}{0..1}{0..1}{0..1}{0..1}{0..1}{0..1}{0..1})
for i in ${1//./ }; do
echo -n ${BIN[$i]}
while [ $# -gt 0 ] ; do
nw=${1%/*}; nm=${1#*/}; gw=$2
check_ip $nw; check_ip $gw
if [ ${#nm} -gt 2 ] ; then
check_ip $nm
nmbin=$(to_bin $nm)
if echo $nmbin | grep -q "01" ; then
echo "Invalid netmask: $nm" >&2
exit 1
echo $nm
gwhex=$(printf "%02x:%02x:%02x:%02x" ${2//./ })
nwhex=$(printf "%02x:%02x:%02x:%02x" ${nw//./ })
nmhex=$(printf "%02x" ${nm//./ })
[ $nm -le 24 ] && nwhex=${nwhex%:*}
[ $nm -le 16 ] && nwhex=${nwhex%:*}
[ $nm -le 8 ] && nwhex=${nwhex%:*}
echo -n $nmhex:$nwhex:$gwhex
shift 2
[ $# -gt 0 ] && echo -n ":"
Source: [mgergi.hu](https://mgergi.hu/en/it-blog/static-route-dhcp-pfsense)
Script was cited/hardcopied because I hate it when linked websites ain't
available any more. But there is a nice explanation on that website that
you should read.
Replace `` with your routers IP address!
$ hexroute.sh
$ hexroute.sh
You see, you get two values. All you have to do is concatenate those two values
and separate them with colons. Insert the new string into the <kbd>Value</kbd>
field and save those options.

## More resources
* https://support.aa.net.uk/L2TP_Client:_pfSense
* https://id3145.com/2017/blog/5-pfSense-Add-Static-Routes-to-pfSense-DHCP-Clients.html
* https://www.iana.org/assignments/bootp-dhcp-parameters/
* https://www.rfc-editor.org/rfc/rfc3442.html