1 to 1 NAT through IPsec



  • Hi! I'm trying to make my servers on an internal network exit the firewall through an IPsec tunnel with a public IP.

    I work at an ISP and have routed a /27 public network through an IPsec into my pfSense firewall at home. I've previously used FortiGate with policy-routing and virtual ips, but it doesn't seem to work the same way with pfSense.

    On my P2 I've specified the /27 network as local subnet, and 0.0.0.0/0 as remote subnet.

    In NAT 1:1:
    Interface: IPsec
    External IP: xxx.xxx.93.13
    Internal IP: 172.16.0.65
    Destination IP: *

    I had to port forward ICMP with destination xxx.xxx.93.13 to 172.16.0.65 to make my pings (from AWS) show up in tcpdump.
    With NAT-reflection enabled, I can access the server with its public IP locally.

    Outbound NAT is set to manual, with a mapping that says:
    Interface: IPsec
    Source: 172.16.0.65
    Source port: *
    Destination: *
    Destination port: *
    NAT address: xxx.xxx.93.13
    NAT port: *

    Am I missing something? I've tried everything I could think of, and getting pretty frustrated.


Log in to reply