@johnpoz I see. Thanks for your help as well! Appreciated.

Got it! Thanks so much for your help. I've changed a dozen settings in the last couple of days so it's hard for me to say exactly what did it. The last thing I did before it started working was actually to uncheck the box that says "Force all client-generated IPv4 traffic through the tunnel." And now when I go back in, it shows checked again... hmmm. In any case, it's working now and I hopefully won't ever have to do any troubleshooting ;) Thank you again for taking the time to help me.

@Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file. [image: 1564770848390-untitled.png] mssfix1400_full_cap.pcapng

@DavidGA said in Multiple problems with NAT rule creation UI: You apparently can't create NAT rules for destination port ranges Huh? Sure you can.. [image: 1563275865697-portforwards.png] But yeah concur with JeGr if you were going to do that you would just use a 1:1 nat. I don't have a mac to test with - but for sure could test it with multiple browsers on windows or linux.. Let me fire up safari on my iphone or ipad.. edit: Just fired it up on my iphone and works just fine.. When selected network as address the box did turn gray, but just clicked on it and it went white and could enter stuff..

First of all, you need to clarify if the pritunl VPN users (while connected) will be "going" out with their 192.168.22.x IP address , or with the IP address of the Pritunl network interface (192.168.226.1). Also, I assume that you have created a Server in the pritunl that assigns the 192.168.226.x IP addresses. In that server, you will have to add a route towards the 172.17.172.x network (see below) [image: 1560265449597-b7fc52a1-f8e5-4555-8671-6d04a35c5b5b-image.png] After you do the above, then you can start pinging from a VPN user towards your Servers. In order to see if the Pritunl VPN user is going out with its assigned IP addres (192.168.2226.2) and not with the Pritunl server IP (192.168.226.1), go to Packet Capture in pfsense and check the traffic on the pfsense interface that belongs to 172.17.172.x network. *I would create an alias for these VPN users and name it "OpenVPN_Users" (Alias type is network with an IP address 192.168.226.0/24). Then I would go to the firewall rules and I would add a rule to allow the OpenVPN_Users network towards the 102.17.172.0 network. Not sure if you have to configure the Advanced Settings on that rule, but if you still cannot ping the servers, you may have to go and change the TCP flags to "Any" and the State Type to "sloppy" (see below) [image: 1560264877380-4e012871-d683-4bee-a1e1-8e3c38a6307e-image.png] Also, I assume these VPN users will be having internet access via your pfsense, which means that they will be going to the outside world via the WAN interface. If so, maybe you would have to add a NAT rule, but check first if it works without any NAT rule.

@ngoehring123 said in NAT over routed VTI: @under_tow I reported this back in March. https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti Unfortunately no resolution that I'm aware of. Thanks, similar issues, GRE over IPSEC could work, but too many changes in our application for that for now.

@Grimson said RTFM: https://docs.netgate.com/pfsense/en/latest/interfaces/interface-settings.html#private-networks Thankyou Grimson, after Reading The Fine Manual. I concluded that since the WAN IF of pfSense router actually does not have a public IP and has a IP Address 192.168.1.253 RFC1-918, I think it is secure from outside attack over internet even after turning off the block Private IP Address and loop back address and this is the proper way to configure and it's not a work around. Please correct me if i'm wrong. [image: 1554208890853-wan-if.jpg] [image: 1554208900093-rfc-1918.jpg] Thanks

I managed to ... sort of solve it. Netgate support told me to try and put each tunnel on a different internal IP alias. After doing that (and creating the relative NAT and firewall rules on the border box) the second tunnel got up. I still have no idea why this is the case exactly, but I'll take the working tunnel over understanding pfsense's IPSec and/or NAT mechanics for now.

Bei mir funktioniert es inzwischen auch wie beschreiben. Leitung bleibt auch beim telefonieren stabil. Ich kann von meinem VOIP Telefon hinter pfSense nach aussen Telefonieren, und theoretisch auch "rein". Allerdings ist das nur für ca. 5 Minuten möglich (nach dem letzten Telefonat nach aussen). Das gleiche passiert, wenn ich mit meinem DECT Telefon (das direkt an der FB angemeldet ist) das VOIP Telefon Intern anrufe. Ich vermute das es irgend ein NAT Timeout ist?

@elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!

@ak-0 said in Internal routing of Vlans: @Derelict Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0. Actually what i want to achieve is if traffic from Vlans goes out first it should reach Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port. Tracert should be 1.Vlan IP (192.168.100.1) 2.Lan IP (192.168.10.1) 3.Gateway IP (1.2.3.4) instead of 1.Vlan IP (192.168.100.1) 2.Gateway IP (1.2.3.4) I`m trying to double NAT for Vlans, first NAT should be internal and then gateway. @tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN. I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.

Vamos lá no passo a passo para eu não misturar na nada. Do modem da Net (nesse você não mexe), está saindo o cabo da LAN para a WAN do pfsense, o qual recebe o ip (muito provavelmente) 192.168.0.100, certo? Na LAN do seu pfsense você poderia mudar o ip para ficar uma classe diferente e não misturar as coisas, então vamos dizer que você vai colocar o ip 192.168.25.1. Beleza? O seu segundo roteador, desconecta tudo dele, (dá até um reset se quiser). Liga o seu PC em qualquer porta LAN deste roteador, acessa as configurações dele. Muda o IP dele para 192.168.25.2 e depois desabilita a função de DHCP nele, você até vai perder o acesso quando ele reiniciar, porque como ele não está mais entregando IP seu note vai ficar sem, mas não tem problema. Depois que ele reiniciar com essas duas configurações feitas, plugue o cabo da LAN do pfSense na porta LAN do roteador e o cabo do seu computador em outra LAN disponível do roteador. Assim você irá receber o IP do pfSense e poderá acessar a página de configuração do modem digitando o ip 192.168.25.2. E pronto. (eu espero hahahahaha)

@Konstanti I attach a network diagram of my setup to make it clearer. This is what is weird, when I connect to the VPN from my phone on 4G (option 1 in the attached diagram), I don't get errors any errors just timeouts. I can access everything on the internal LAN and internet, except, I cannot login into certain webservices. When I enter my password and press login, it just stalls - the browser says it is "thinking / loading" and then nothing happens. After a long time I get a "Server not found" error in the browser. However, when I am on my phone on the internal wifi over the VPN (option 2), then I click login and get redirected instantly to the dashboard of the webapp. I can also reach the webapp from outside my network as I have a reverse proxy (option 3), and this works fine. The reason I want to set up the Mobile IPSec VPN is that I want to close down the reverse proxy I have set up so that I can only access my webservices over the VPN and not anymore expose them directly to the internet. [image: 1549268967746-7037c544-acec-48e5-bea3-45c0e02ae4b2-image-resized.png]

@vistatech said in routing specific packets through IPSEC gre tunnel: 10.1.1.20 Hey And why is outgoing NAT used ? Try disabling it . I have a similar scheme and everything works fine without NAT. The question such, Pfsense can ping a host 10.1.1.20 ?

@johnpoz My configuration in: System / Advanced / Firewall & NAT / Network Address Translation / NAT Reflection mode for port forwards is set to "NAT + Proxy" and when I set to "Pure NAT", I can list the ftp content from LAN So, it seems a solution, as it works. But as I have set Squid Proxy, perhaps it's not a good idea to set "Pure NAT"? Otherwise, can I create a rule which simulate the "Pure NAT" setup with "NAT + Proxy"?

If we all got $1 for every "Gah! pfSense is hacked/broken/whatever!" and it turned out to be a configuration issue, we would all be able to retire.