Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Source IP of VPN traffic being changed

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 712 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kf4zmt
      last edited by

      I have a routed IPSec tunnel between two pfSense firewalls using vti interfaces. Traffic initiated from the remote 10.34.0.0/24 subnet (see attached diagram) is traversing the tunnel. However, my local pfSense firewall (the one on the right of the diagram) is changing the source IP address of this traffic and replacing it with the IP address of its own LAN interface.

      Packet captures taken on vti1 show that that source IP is unchanged when entering the firewall but is being changed upon egressing to my local LAN. I have a second IPSec VPN (not shown in the diagram) that is a policy-based tunnel (no vti interfaces) and the source IP of the ingress traffic from that VPN is NOT being altered. I do not have NAT configured anywhere except for outbound NAT to the Internet.

      I have been unable to determine why this is happening. Any ideas?

      pfSense SNAT Problem-Page-2.drawio.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @kf4zmt
        last edited by

        @kf4zmt
        Check the outbound NAT. Presumably pfSense has automatically created a rule on the Lan.
        This is the case if you state a gateway in the interface settings.

        K 1 Reply Last reply Reply Quote 0
        • K
          kf4zmt @viragomann
          last edited by

          @viragomann I think I see what you mean.

          Any idea why this NAT is happening only for traffic coming in from the routed VPN? I have a second IPSec tunnel (policy-based) and the source IPs are not being NATed for traffic coming in over it.

          Is there a way to add a "NO NAT" rule to make it stop NATing the VPN traffic?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @kf4zmt
            last edited by

            @kf4zmt
            So is there an outbound NAT rule on the internal interface?
            I'd expect that it would also nat other sources in this case.

            K 2 Replies Last reply Reply Quote 0
            • K
              kf4zmt @viragomann
              last edited by

              @viragomann Yes, an automatic one, and I do have a gateway defined.

              LAN gateway.png

              outbound NAT.png

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @kf4zmt
                last edited by

                @kf4zmt
                Do you need the LAN gateway?
                This option is meant for stating an upstream gateway. For other routing purposes it's sufficient to add a gateway in System > Routing.

                K 1 Reply Last reply Reply Quote 0
                • K
                  kf4zmt @viragomann
                  last edited by

                  @viragomann I also just noticed that the subnet (10.50.x.x) associated with remote network from the second IPSec tunnel is not included in the automatic NAT rules.

                  I suppose that would explain why those source IPs aren't being changed.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kf4zmt @viragomann
                    last edited by

                    @viragomann I don't know when or why I set that, but I removed it and that appears to have resolved the issue.

                    Thank you!!! I don't think I'd have ever figured this out on my own.

                    LAN gateway2.png

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.