Azure pfSense ipsec IP Forwarding



  • Hello,

    I have been trying to figure out how to use pfSense in azure as an ipsec VPN endpoint. I have successfully deployed single NIC marketplace pfsense in azure. After bringing up IPSEC...From my local network I can only ping the pfsense interface. I cannot ping any other VM's in azure that are on the same subnet. Now from my understanding this is because azure VM's cannot change their default gateway. So i believe the recommended solution is to create a route table in azure to route 0.0.0.0/0 to the pfsense interface and associate the subnet. And then enable IP Forwarding on the pfsense NIC. As soon as I do this I lose all communication with azure VM's and the pfSense appliance in azure. My configuration is as follows:
    pfsense on prem: 10.169.169.1/24
    pfsense in azure: 10.105.0.4/24
    ipsec tunnel between the two allowing remote network access.
    From on prem I can only ping azure pfsense interface 10.105.0.4
    I have added the following WAN firewall rule on azure pfsense:

    WAN:
    Source: 10.105.0.4/24
    Destination: Any

    I have left a packet capture running when I enable the 0.0.0.0/0 route and can see the Azure windows VM (10.105.0.5) start hitting the WAN interface of azure pfsense. Also when I look at the firewall logs I can see multiple entries showing traffic from 10.105.0.5 being blocked by WAN Default deny rule IPv4 (1000000103) 10.105.0.5:50004 40.67.254.36:443

    I really appreciate any suggestions.



  • Solved by adding static routes in azure pfsense and adding UDR routes of the remote network in the azure route table....finally!


Log in to reply