Current status of NAT before IPSEC

  • Hi folks,

    how is the current status of NAT before IPSec on a single pfSense box?
    I encounter problems when it comes to that topic.

    Let me give you an example:
    We have several IPSEC connections to customers where we only have a single Phase2 local network ( called VLAN100.
    (It is not an option to add additional Phase2 for us).
    As other local VLANs like VLAN200( want to access the customer systems they can´t because of the single Phase2 defined is VLAN100.

    My solution was to use "Outbound NAT":
    Source: VLAN200
    NAT to Single IP in  VLAN100 (

    That works fine as long as the IPSEC Tunnel IS NOT on the Same pfSense box as the Outbound NAT rule (See Method1).

    But NAT does not work for me if the Outbount NAT and IPSEC Tunnel are on a single pfSense box (See Method2).
    NAT just does not happen.

    Method 1:
    Client VLAN on pfSense, IPSEC on a different box:

      Client PC (VLAN200)               NAT to VLAN100 IP                  STATIC ROUTE to TARGET Subnet               Dedicated IPSEC Box                      IPSEC TUNNEL PHASE2 (LOCAL NETWORK)                 TARGET NETWORK        -          -                     -             -                          - 
                                          ^^ pfSense1 ^^                          ^^ pfSense1 ^^                          ^^ pfSense2 ^^                                   ^^ pfSense2 ^^
                                     ^^ Outbound NAT Rule ^^

    Client VLAN+IPSEC on a single pfSense box:

      Client PC (VLAN200)                NAT to VLAN100 IP                  IPSEC TUNNEL PHASE2 (LOCAL NETWORK)                      TARGET NETWORK        -          -                          -    
                                           ^^ pfSense1 ^^                               ^^ pfSense1 ^^
                                      ^^ Outbound NAT Rule ^^

    Is that still a common problem on the current pfSense version?
    All I can find on this topic is ~4Year old tickets.

    Can someone confirm that this is still a problem or is this just a configuration issue on my side?