I've got the exact same problem, only 1 subnet through the IPSEC-tunnel, and trying to use a 1:1 NAT to reach resources on a different subnet. Anyone know if this is possible? I think the main problem that it is not working, is that the source of traffic from the 'other side' is not a subnet-interface, but the IPSEC-interface. In het NAT-rule you can't select the IPSEC-interface, so the traffic is never matched against this 1:1-rule.

Maybe i've "found" the solution. It's looks wired but it works. I've made these steps: 1. System>Advanced>Firewall/NAT>Set "NAT Reflection Mode" from "disable" to "NAT + Proxy" 2. Save ( i've tried again with this option without success ) 3. Step Back to "disable" and everything start working I'm actually astonished  :o I'm going to remove the unused Virtual IPs. Thanks Everyone. I appreciate your help.

What exactly in the linked howto does NOT work for you? Ya know, noone here will make the protocol NAT friendly…

on your interface "WAN"  "block private networks" is checked.  you are using a private network subnet there, so un-check that.

@Derelict: @davids355: Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet? I guess it matters if it matters to you.  I've never done a pool of outbound NAT addresses on pfSense.  Not sure how to set that up other than 1:1.  You can certainly tailor what inside host gets what outside address using more specific outbound NAT rules. Thanks, no it doesnt matter to me. Just wanted to make sure I was doing it the right way. I have opened another thread about isolating each subnet form the other, if you have time: https://forum.pfsense.org/index.php?topic=91399.0

hiiii, I figured it out, unticked "Block Private Netowrk" in WAN-INTERFACE and its worked

thank you very much i will give this a shot later on on a test machine so i don't break the production box  ;D

So you don't need any forwarders?  From muswell, and how I read your post it seems that is where the client needs to talk, not what needs to talk to the client.  Your machines behind pfsense being the client.

For the record: I got a Cisco 2950. It has its benefits in my setup, no doubt about that. Risto

@doktornotor: @sergiosmvc: But why should be TCP/UPD if rdp is only TCP? No, it's not. Please, read some MS docs. Everything properly patched from W7 up uses both TCP and UDP. Once again, we are discussing RDP here. I totally fail to see why the hell you need 100 ways to reach the damned box. Sorry The RDP was an example but those 100 domains are about http. the nat foward for http works with NAT + Proxy but if i change it to PURE NAT i can't connect internal HTTP / MAIL / RDP etc etc sorry about my english

Is an IPsec tunel? if so, have you add firewall rules on IPsec interfaces? You can monitoring with tcpdump to see if the packets are going to each end. (tcpdump -nni [interface])

Could this be connected to this issue, which has been fixed in 2.2.1? Fixed a bug where applying NAT changes in Hyper-V could break the running NAT configuration. #4445 https://redmine.pfsense.org/issues/4445

Post a network diagram so we can be sure what we are talking about. I guess when you set up the OpenVPN server (3) you put all the local subnets (2,4,5,6,7,…) in the "Local Subnet/s" box. Or you are redirecting all traffic from clients to the OpenVPN. Do a traceroute from and OpenVPN client to subnet 5 - that will show where the packet is going (around in a loop somewhere maybe). If the router inside your LAN (that routes from 2 to 4,5,6,7...) is blocking traffic originating from OpenVPN (3) tunnel network, then why not change that router config so it passes the traffic? Otherwise, yes you can add an Outbound NAT rule on LAN that will NAT traffic with source "OpenVPN tunnel subnet" to the pfSense LAN IP. That will hide the OpenVPN tunnel network addresses from the inside router.

:) Work for me.