NAT destination into IPsec VPN



  • Hi,

    I'm used to other firewall vendors (CheckPoint, WatchGuard) and this is the first time I use PFSense because we want to implement it on AWS.

    I have one main site with a CheckPoint firewall and internal network 10.1.0.0/16
    AWS site with PFSense has internal network 10.2.0.0/16

    One working IPsec tunnel is setup between thoses sites.

    Fromp the PFSense side, I would like to NAT main site(10.2.0.0/16) to 10.3.0.0/16, so I can ping 10.3.0.1 from AWS and reach 10.1.0.1 on main site.

    How must I do this?

    • Must I use the IPsec wizard?
        It's not clear to me what does the NAT/BINAT translation.
        Does it NAT the source or the destination network?

    • Must I use a 1-to-1 rule?
        Still not clear about the source or destination NAT.
        Also, about the interface:
      –    Is it where the NAT applies?
      --    is it where the traffic must income to match the NAT rule?
      --    is it where the traffic must outcome to match the NAT rule?

    I'm a little bit confusing about all of this regarding to my experience with other vendors.

    Can you explain it to me?



  • Hi,

    A little refresh on this post.
    The topology I want to achieve is in attachment.

    I tried BINAT in VPN with no success.
    I also tried port forwarding, but no way to translate to a network range. Only possible with a single IP…

    Can someone help me?




  • Hi,

    Could someone answer?

    Is it possible with PFSense at least?
    Or must I turn to enterprise solutions?


  • LAYER 8 Netgate

    Pretty sure that NAT will have to be done on the other side.

    BINAT in a phase 2 translates the network on your side as it appears to the other side. You would set up a Phase 2 for 10.2.0.0/16 to 10.3.0.0/16. They would NAT it from 10.3.0.0/16 to 10.1.0.0/16.


Log in to reply