[Solved] Port Forwarding over IPsec Issue



  • Hello! I am having trouble port forwarding from one of my pfSense routers over an IPsec S2S to another pfSense router. All of my IPsecs are vtis with OSPF running on top and all of my hosts are able to communicate with other hosts correctly. The only issue is that when I port forward from the remote router across the IPsecs, I have to set the default gateway on the local router to the IPsec vti. If I don't do this, pfSense routes my return traffic out the local Internet connection instead of back over the tunnel. This is a problem because when the routers boots, it's not always able to re-establish my tunnels since it is trying to use those tunnels as a default route. Any workarounds for this yet? I used to use OpenVPN for my S2Ss and it used to have the same issue.


  • Rebel Alliance Developer Netgate

    That's expected with IPsec, even with VTI. There is no way for the receiving pfSense to know that traffic must return over IPsec. The pf reply-to function doesn't work on VTI interfaces, so the traffic follows the default route.

    The only solutions are to use OpenVPN (assigned OpenVPN interfaces can use reply-to which will return traffic via expected paths) or to proxy the traffic where it enters from the Internet, rather than port forwarding. In that case the request over IPsec appears to come from the firewall and not a remote client.



  • Didn't even think of that. HAProxy configured and working.

    I do have another question though: I have a LAN policy route for everything from the port forwarded host to go back to the remote router. Why do I even need the reply-to?


  • Rebel Alliance Developer Netgate

    A policy routing rule on the LAN only works for connections created by that rule -- new connections leaving the LAN and exiting the firewall (in this case, via IPsec).

    The connection that didn't work are in the opposite direction -- Permitted by the rule on the IPsec interface, NOT the rule on LAN. And putting a gateway on that rule would not be valid.


Log in to reply