Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot establish connection on two-way comms like SSH on Phase 2 VIP attached to LAN IP using NAT 1:1

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 308 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RaulChiarella
      last edited by

      Hello there!

      As the title say, I cannot establish connection on two-way comms like SSH on Phase 2 VIP attached to LAN IP using NAT 1:1.

      Phase 1 and Phase 2 is UP.
      Phase 2 Remote IP is 192.168.1.248 and Local IP is 172.16.250.10 (VIP)

      I created a NAT 1:1 both on LAN interface and IPSec interface which says:
      External IP 172.16.250.10 (VIP...)
      Internal IP 192.192.168.1.253 (Actual pfSense IP)

      f8356a97-d19c-4241-afc6-98fe8f0f7d74-image.png

      To test this out I am trying only SSH at the moment.
      I created two rules on the Firewall, one for ICMP and one for SSH.

      ICMP works fine - Not sure why.
      Here is the rule and the Packet Capture respectivelly, of the ICMP and the SSH:

      Rules:

      c6f6646b-f62b-403d-94ef-1e7fbf979032-image.png

      Packet Capture of the ICMP - Blurred some info because I am not sure what is it for...:

      c9a09907-a543-41d3-8339-9841aab44327-image.png

      And here is a Packet Capture of a SSH attempt - Which is unsuccessful, with both a telnet test and SSH test itself on log:

      81009887-00d0-4131-a19d-ff056138f728-image.png

      As you can see, pfSense did not responded like when doing the ICMP.
      This also happens even if I allow all rules on IPSEC and LAN, and also happens in other services like Zabbix ports. For clarification: Yes, SSH is enabled.

      I want to also inform beforehand that I created a static route for IN → OUT (Which works fine.)

      6271343a-3c10-4abb-8cba-3682b1065b1b-image.png

      I went here because I am really out of ideas and need some help.
      Can someone give me some light on this?

      Thank you.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You can't NAT on an IPSec tunnel like that. If you need to NATyou have to use the BI-NAT field in the Phase 2 setup.

        https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

        Assuming this is a policy based tunnel (not VTI).

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.