Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 Clients Connecting from Same Public IP Fail

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 512 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Deadringers
      last edited by Deadringers

      Hi,

      I have pfSense setup as VPN endpoint, it's working fantastically and super fast to connect etc...

      However if I have 2 client machines on the SAME LAN/IP, they can't both connect at the same time.

      To explain what I mean:

      At a DC today, I connected my laptop to the WiFi and was given a .222 and .223 address for my phone/mac respectively.

      They both show the same public IP & Port however on the status page: https://pfsense.internal.DOMAIN.com/status_ipsec.php

      alt text

      So looking at the above... I don't expect them to work like this as only one of the clients can claim source port 4500 & destination port 4500.

      Is there a way around this, or a limitation of IPSec?

      1 Reply Last reply Reply Quote 0
      • D
        Deadringers
        last edited by

        Hmm the plot thickens on this....

        When on Mobile Data today, my iPhone decided to use a random source port of 19604...

        So it might have been the router/fw/edge device at the DC earlier which decided to map the source ports of outgoing IPSec to 4500?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Do you have hybrid or manual outbound NAT rules that setup static source port for 4500? That shouldn't be necessary and may be interfering with the clients.

          NAT-T works fine with a randomized source port, so having outbound NAT preserve a static source port could break it for multiple clients.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          D 1 Reply Last reply Reply Quote 0
          • D
            Deadringers @jimp
            last edited by

            @jimp said in 2 Clients Connecting from Same Public IP Fail:

            Do you have hybrid or manual outbound NAT rules that setup static source port for 4500? That shouldn't be necessary and may be interfering with the clients.

            NAT-T works fine with a randomized source port, so having outbound NAT preserve a static source port could break it for multiple clients.

            I do not, but I suspect the provider at our DC does?

            Reading up on it, it sounds like they’ve turned on some kind of IPSec pass through / helper feature on their side…which is not helpful!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.