Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect to Pfsense behind NAT.

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      davolia0123
      last edited by

      Hello,I have installed L2TP over IPsec and now from clients side can't connect to server behind NAT.Any suggestion?
      2016-05-18_1123_001P.png
      2016-05-18_1123_001P.png_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well did you forward the ports/protocols needed through the NAT device in front of pfsense?  Normally for ipsec through a nat you need NAT-T which uses port 4500.

        Much easier to use just say openvpn which is just one port be it tcp or udp that makes it easier to use through a nat.. Especially when nat is being done on both sides (client and server side)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          davolia0123
          last edited by

          Yes I forward 4500 port on NAT device.Unfortunately I can't use OpenVPN instead L2TP.I can attach more files if needed.There is attached all my config files.

          ![2016-05-23_1140 - Copy.png](/public/imported_attachments/1/2016-05-23_1140 - Copy.png)
          ![2016-05-23_1140 - Copy.png_thumb](/public/imported_attachments/1/2016-05-23_1140 - Copy.png_thumb)
          ![2016-05-18_1127_002 - Copy.png](/public/imported_attachments/1/2016-05-18_1127_002 - Copy.png)
          ![2016-05-18_1127_002 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1127_002 - Copy.png_thumb)
          ![2016-05-18_1127_001 - Copy.png](/public/imported_attachments/1/2016-05-18_1127_001 - Copy.png)
          ![2016-05-18_1127_001 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1127_001 - Copy.png_thumb)
          ![2016-05-18_1127 - Copy.png](/public/imported_attachments/1/2016-05-18_1127 - Copy.png)
          ![2016-05-18_1127 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1127 - Copy.png_thumb)
          2016-05-18_1126P.png
          2016-05-18_1126P.png_thumb
          2016-05-18_1126_001P.png
          2016-05-18_1126_001P.png_thumb
          2016-05-18_1125_002P.png
          2016-05-18_1125_002P.png_thumb
          ![2016-05-18_1125_001 - Copy.png](/public/imported_attachments/1/2016-05-18_1125_001 - Copy.png)
          ![2016-05-18_1125_001 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1125_001 - Copy.png_thumb)
          ![2016-05-18_1125 - Copy.png](/public/imported_attachments/1/2016-05-18_1125 - Copy.png)
          ![2016-05-18_1125 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1125 - Copy.png_thumb)
          ![2016-05-18_1124 - Copy.png](/public/imported_attachments/1/2016-05-18_1124 - Copy.png)
          ![2016-05-18_1124 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1124 - Copy.png_thumb)
          ![2016-05-18_1123_002 - Copy.png](/public/imported_attachments/1/2016-05-18_1123_002 - Copy.png)
          ![2016-05-18_1123_002 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1123_002 - Copy.png_thumb)
          ![2016-05-18_1123 - Copy.png](/public/imported_attachments/1/2016-05-18_1123 - Copy.png)
          ![2016-05-18_1123 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1123 - Copy.png_thumb)
          2016-05-18_1118P.png
          2016-05-18_1118P.png_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Where is your phase1, did you forward port 500?

            What is your client in this?  And why can you not use openvpn..  There are openvpn clients for pretty much every OS that I can think of.  Windows, Linux, MAC, bsd, android, IOS, etc. etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              davolia0123
              last edited by

              Previous last screenshot is Phase 1.In screenshots you can see,that I forward port 500.I created 2 phases,and the first image which I attached is from client side.I installed from this link`
              https://doc.pfsense.org/index.php/L2TP/IPsec.

              P.S.
              I can't setup OpenVPN,because this vpn server will use for Counting Cash Machine (they use windows 2000 or 2003) And they don't support OpenVPN.

              2016-05-24_1700.png
              2016-05-24_1700.png_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Openvpn installs and works just fine on 2k and 2k3 machines.  As to anyone using 2k or 2k3 still..  WTF??  For a cash machine - I would think their last concern would be vpn anywhere ;)

                One thing that jumps out at me is your L2TP server setup the IP address that is used as the gateway is outside the IP address your giving to your clients.. Your saying to use 10.20.16.1 as gateway but your clients network is 10.20.17/25, and then in your ipsec firewall rules tab your source is 10.20.16 but again it looks like your clients are on 10.20.17/25

                This is pretty clear walk through..
                https://doc.pfsense.org/index.php/L2TP/IPsec

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • D
                  davolia0123
                  last edited by

                  Sorry,it is google translator :D I mean POS terminal.I fixed this issue.When I try to connect to VPN server not behind NAT,it is connecting without any problem.But when I try to connect behind NAT,it shows me this error.

                  1 Reply Last reply Reply Quote 0
                  • D
                    davolia0123
                    last edited by

                    And I configured via this link.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      What link?  And if your saying it works when not behind nat.  Then clearly its the device in front of pfsense causing you your grief.  I don't understand how it would work with your misconfiguration of the IP and network your giving your clients.

                      Don't use nat would be my suggestion ;)  What is doing that nat in front of pfsense?  Do you have the pfsense wan in a DMZ host sort of setup, or are you forwarding what?  Ipsec likes that port 500 to be static for example.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.