Device behind pfSense LAN (Azure install) can NOT get access to public internet

  • So I thought this would be a fairly simple thing, but I guess Azure network works different then a physical install. So anyway, my setup is fairly simple. I install a pfSense VM on Azure with WAN and LAN.

    WAN is on
    LAN is on

    Windows SERVER 2019 is on (same segment as LAN of pfsnes)

    A UDR (route table) is set on the subnet with next hop to

    Now, pfsense has no problem at all pinging the or have access to internet at all. But WHY IS Windows Server 2019 NOT able to ping nor get access to internet at all??

    I do have "IP forward" turned "ON" on the LAN interface of pfsense. I did a packet capture both at the LAN and WAN interface of pfsense, I DO SEE the packet from the windows server on both of these interface when I try to ping

    So is there something I need to setup more in Azure??

    The funny thing is that I did setup a IPSEC tunnel between this pfsense install and my sonicwall firewall (a physical machine), and I WAS ABLE to ping between the devices at either end of the tunnel. But STILL NO DEVICE behind pfsense LAN interface can ping to ANY PUBLIC IP??

    Any thoughts?

    Any help is GREATELY appreciated!

  • Hi
    I am not using Azure but virtualization over KVM and you could try to disable
    Hardware Checksum Offloading


  • Hello Michael,

    Thank you for the reply but that didn't work. I almost feel this is an Azure/pfsense compatibility issue. So I thought if someone here did get pfsense work on Azure before, maybe they know something simple that needed to be "turned on" in order for this to work?

    Thank you.

  • How did you get pfsense to connect to the internet, I have deployed pfsense in azure, the only way I can ping/get internet access from pfsense is to assign the WAN nic with a public IP

  • Same problem here,
    I configured pfsense in this way :

    WAN 10Gbase-T <full-duplex>
    LAN 10Gbase-T <full-duplex>

    Azure configuration :
    Route-Default: NEXT HOP
    Route-WAN: NEXT HOP


    Behind pfsense there is a VM with a NIC configured as follow:
    IPv4 Address. . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :

    From this VM i can't ping any internet address
    From psSense I can ping all internet hosts.

    Any ideas ?

  • Hello epasinetti,

    Try to do an outbound NAT rule in Pfsense. It seems azure will not like if the source IP is not the WAN IP. When a packet goes out public (in Azure VM) it wants the source IP to be same as the interface IP.

    So in your example, if your pfsense WAN interface IP (in azure) is and if your VM (the one you want to be behind pfsense) LAN IP is You need to setup a NAT rule in pfsnese where:

    Port: up to you, you can do wildcard if you like
    NAT Address:

    So what this rule does is everything comes from the VM that tries to go out on the WAN port (internet access) it will turn the source header IP (in the data packet) to (which at that point, Azure would think that the packet is coming from the wan INTERFACE. Which then would allow it to go out.

    I am no Azure expert, maybe someone has a better solution, but this is what I am using now.

    But FYI, in the end, I am no longer using pfsense as the fireall. I am currently using Azure's firewall. I am simply using pfsense so that in can connect IPSEC with other company as Azure's own Virtual gateway is limited in IPSEC capability.

Log in to reply