Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VTI and Outbound NAT

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 337 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      davecullen86
      last edited by

      Hey Team.

      I hope someone might be able to help me with the issue I am facing please.

      Site 1: Pfsense (latest stable)
      Site 2: User location

      I have VTI configured to a 3rd party location where users reside.
      All user Internet traffic from Site 2 is being backhauled to the Site 1 PFSense IPSec VTI.

      DST IP: Whatever Internet IP is resolved by DNS at Site 1.
      SRC IP: The users private ranges at Site 2.

      I have a transfer network between the PFSense at Site 1 and an upstream SWG (Default Gateway), so I'd like to "Outbound NAT" all traffic arriving on the IPSec VTI behind the PFSense transfer network interface IP.

      Routing is all configured correctly and packets flow as expected to a certain point.

      Outbound works great, but response packets arrive at the PFSense transfer interface, but never get translated back as per the NAT table, as I'd hope and need them to for this to work.

      I read on the forum about changing the Filter Mode advanced setting to "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic" but this seems to make no difference.

      The above was suggested as a valid workaround to others but other people simply said this isn't achievable with PFSense today. Which is it please? Can someone advise me on this please?

      I can provide a PCAP or any config-related info if needed.

      Cheers guys.

      Dave

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.