Azure pfSense ipsec IP Forwarding

  • Hello,

    I have been trying to figure out how to use pfSense in azure as an ipsec VPN endpoint. I have successfully deployed single NIC marketplace pfsense in azure. After bringing up IPSEC...From my local network I can only ping the pfsense interface. I cannot ping any other VM's in azure that are on the same subnet. Now from my understanding this is because azure VM's cannot change their default gateway. So i believe the recommended solution is to create a route table in azure to route to the pfsense interface and associate the subnet. And then enable IP Forwarding on the pfsense NIC. As soon as I do this I lose all communication with azure VM's and the pfSense appliance in azure. My configuration is as follows:
    pfsense on prem:
    pfsense in azure:
    ipsec tunnel between the two allowing remote network access.
    From on prem I can only ping azure pfsense interface
    I have added the following WAN firewall rule on azure pfsense:

    Destination: Any

    I have left a packet capture running when I enable the route and can see the Azure windows VM ( start hitting the WAN interface of azure pfsense. Also when I look at the firewall logs I can see multiple entries showing traffic from being blocked by WAN Default deny rule IPv4 (1000000103)

    I really appreciate any suggestions.

  • Solved by adding static routes in azure pfsense and adding UDR routes of the remote network in the azure route table....finally!

Log in to reply