AWS pfSense Appliance - Internal Subnets Cannot Communicate

  • I have installed and configured the AWS pfSense Appliance in one of my AWS VPCs.


    VPC =

    WAN = uses DHCP; has an EIP; is contained in WANVPN-Subnet
    LAN = uses DHCP; is contained in LANVPN-Subnet

    Source/Dest. Check has been disabled on the pfSense instance

    I have several subnets on the private LAN but for the purposes of this discussion only two are required.

    LAN-Subnet1 =; Constains EC2-1 and EC2-2
    LAN-Subnet2 =; Contains EC2-3

    All three EC2 instances are Debian 9.

    I have a separate Route Table (RT) and Security Groups (SG) for each of the subnets.

    What works:

    VPN from external site to AWS through pfSense is established.

    All 3 EC2s can ssh to one another (had to test this by temporarily adding an EIP to them)

    What is NOT working and what I request HELP with:

    When I ssh from my externally connected VPN site the ssh makes it to one of the EC2 hosts; the host responds; however, the information is not being routed back through the pfSense / VPN tunnel.

    I have tried to add the pfSense interfaces to the AWS routing tables with no luck.

    Does anyone know what I need to do to force the route from the EC2 / LAN-Subnet1 back through the pfSense LAN interface so that it can be returned over the IPsec tunnel?