• Hi everyone,

    I've got a problem which I have spent hours trying to figure out but have been unsuccessful.  I hope someone is able to point me in the right direction.

    So here it goes…  :)

    I have two pfSense boxes connected to each other over an IPSEC link, one is at Site A and the other is at Site B, with the following addresses:

    SITE A
    WAN IP:

    SITE B
    WAN IP:

    The IPSEC link between both sites works fine and I am able to access the LANs from either site.  In other words, when I am at Site A I can access everything on  and when I am at Site B I can access everything on .

    So, here is my problem:

    I need to be able to get to a machine with LAN IP port 8080 at Site B from the Internet but from Site A's WAN IP.

    What I have done so far, which has obviously not worked is this:

    1. At Site A, I have created a firewall rule on the WAN interface which allows traffic to port 8080.
    2. At Site A, I have created a NAT rule that forwards traffic from the WAN interface to  port 8080.

    When I browse to, I don't get connected to at Site B and just get a timeout message.

    Thank you in advance.

  • Hi,

    It's not possible. You can see why here

  • Hi kholmqvist,

    Thanks for your message.

    I did indeed see that post a few days ago and I was afraid it was going to be the same for me!  :-\

    Maybe my situation is a bit different than that of the gentleman in that post?  I'm just thinking "out loud" here but..

    • The device which will access from the WAN side will have a known IP address (or a couple from a known pool/subnet) so it won't be

    • The port will always be 8080

    So with these two differences I am hoping I can make it work.

    Again, I could be wrong but I will try and experiment a little with the Phase2 settings and some NAT settings.

    Here's hoping!

  • LAYER 8 Netgate

    You will need phase 2 entries for the "known pool/subnet" between the two sites. Site B will then only be able to access the "known pool/subnet" over IPsec. It will not be able to access it over the internet.

    I just built this and it seems to work. Only tested a port-forwarded ping.

    Or use OpenVPN. It excels at this. All of the talk in that thread about assigned interfaces and reply-to is done and works great.

  • Hi Derelict,

    Thanks for chiming in.

    Yes, I was experimenting with the Phase2 settings and was able to make things work!  :)

    Thanks again everyone for your thoughts and suggestions.

    pfSense rocks!


Log in to reply