pfSense Site-to-Site OpenVPN with AWS EC2 NAT

cs.chan

Hi ,

I install one pfSense in my VMware (site A) and another one in AWS EC2 (site B).
Both are running very well without site-to-site VPN (OpenVPN).

After creating the site-to-site VPN (OpenVPN) by reference below document, my site A client can route traffic to site B and NAT can be performed. But I did not receive any response from internet. (example: no icmp reply)

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/routing-internet-traffic-through-a-site-to-site-openvpn-connection-in-pfsense-2-1.html)

Packet capture from site B client to pfSense:
19:21:31.370007 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 36872, seq 4, length 64
19:21:31.372936 IP 1.1.1.1 > 172.31.22.148: ICMP echo reply, id 36872, seq 4, length 64
19:21:32.371213 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 36872, seq 5, length 64
19:21:32.374148 IP 1.1.1.1 > 172.31.22.148: ICMP echo reply, id 36872, seq 5, length 64
19:21:33.372501 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 36872, seq 6, length 64
19:21:33.375394 IP 1.1.1.1 > 172.31.22.148: ICMP echo reply, id 36872, seq 6, length 64
19:21:34.373770 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 36872, seq 7, length 64
19:21:34.376651 IP 1.1.1.1 > 172.31.22.148: ICMP echo reply, id 36872, seq 7, length 64
19:21:35.375061 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 36872, seq 8, length 64
19:21:35.377961 IP 1.1.1.1 > 172.31.22.148: ICMP echo reply, id 36872, seq 8, length 64

Packet capture from site A client to site B pfSense: (NAT is ok, but no reply from internet)
19:22:29.057700 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 1, length 64
19:22:30.056591 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 2, length 64
19:22:31.056616 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 3, length 64
19:22:32.056713 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 4, length 64
19:22:33.056606 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 5, length 64
19:22:34.056617 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 6, length 64
19:22:35.056619 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 7, length 64
19:22:36.056759 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 8, length 64
19:22:37.056945 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 9, length 64
19:22:38.056612 IP 172.31.22.148 > 1.1.1.1: ICMP echo request, id 35734, seq 10, length 64

Hope someone can advise this.
Thanks a lot.
Stephen