Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Before IPSEC Issue

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 275 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Erik10206
      last edited by

      I have a pfsense box setup in azure that I use as an ipsec termination box. It has an active ipsec tunnel that, when on the pfsense cli, can reach all of the services on the other end of the tunnel. The problem lies with the inbound traffic from the "WAN" interface (labeled AZURE in the diagram). There is an outbound nat on the LAN so that any traffic destined for the tunnel network on the remote end, get's NATd's to the LANs interface IP. In the below screen cap of the states, you can see the external connection come in, get translated, traverse the tunnel, and get replies but the replies don't go back across the existing nat.

      States during test:
      8ca25e37-7aa9-d43fc-b567-3ebd29471236-image.png

      Source: 10.8.2.254
      Destination: 192.94.107.32

      Network diag:
      f46c97f6-7a1c-4de7-ab87-698b9da8320a-image.png

      I have tried a packet capture on the 3 interfaces. I see the requests and replys on the ipsec interface as the state table indicates. I see the pings coming in on the AZURE interface and no replys but what is really peculiars is that with no filters, there are 0 packets on the LAN interface. There is nothing in the firewalls indicating and blocks and both ipsec and LAN interfaces have allow IPv4 any/any.

      Something seems to be blocking the response from responding symmetrically on the already existing states once it leaves the ipsec interface. Any thoughts?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.