Port forward through site-to-site VPN

  • Hi!

    I'm trying to solve a problem on my setup, and kindly ask your help.

    This is the scenario.

    Site 1

    • Internet connection via 4G/LTE provider, with natted connection
    • pfSense firewall
    • LAN subnet
    • NAS server (

    Site 2

    • Internet connection via fiber provider, with static and public IP address
    • pfSense firewall downstream to providers router ( WAN IP and WAN gateway)
    • LAN subnet

    IPsec VPN

    I've an IPsec tunnel between the two sites, initiated always by Site 1 (because of the dynamic and natted IP).
    The tunnel uses vti mode and a static route on both sides. tunnel IP for Site 1 tunnel IP for Site 2

    With this setup I'm able access correctly resources on both sites from either sites, and also via OpenVPN connection (I connect from internet to Site 2, and I'm able to reach also Site 1).

    Now I need to access directly a resource on Site 1 (a port of the NAS) from the internet, using the public IP of Site 2.

    So, I've created a NAT rule on Site 2 to forward the needed port to the private IP of the NAS on Site 1.
    I've also created an Outbound NAT to masquerade the public IP of the source from the internet, to prevent that Site 1 replies directly via internet, instead from the VPN tunnel and Site 2 IP.

    The setup seems to work and the NAS in Site 1 receives the connection (from the right IP), but the response did not leave the firewall on Site 1.

    No blocked connection are listed in the firewall logs, and this is the States view from both sides (Site 1 on left and Site 2 on right).

    Screenshot 2020-09-24 at 11.42.03.png

    This is the port forward rule:
    Screenshot 2020-09-30 at 18.30.13.png

    And this is the outbound NAT rule:
    Screenshot 2020-09-30 at 18.30.30.png

    Do you have any suggestions?
    I've missed something?

    Thanks in advance!


  • After many many tries, readings, etc....I've solved by switching to an OpenVPN Site-to-site tunnel 👍

  • I have the same issue on my setup but in my case Site 2 does receive the return traffic, it just doesn't translate the destination IP of the return traffic back to the original source IP (the public IP) so the return traffic stops at the Site 2 IPsec interface. I switched from OpenVPN to IPsec because I needed the speed bump so OpenVPN is not a solution for me. Any workarounds to this?

  • @kevindd992002 I've switched to OpenVPN because it seems to be no solution other than routing all the traffic through the VPN tunnel :(

  • @edofede Exactly. They said this is a workaround: https://forum.netgate.com/post/935884 but it's also not working for me. It even further broke the tunnel in terms of routing from either end.