2 Clients Connecting from Same Public IP Fail
-
Hi,
I have pfSense setup as VPN endpoint, it's working fantastically and super fast to connect etc...
However if I have 2 client machines on the SAME LAN/IP, they can't both connect at the same time.
To explain what I mean:
At a DC today, I connected my laptop to the WiFi and was given a .222 and .223 address for my phone/mac respectively.
They both show the same public IP & Port however on the status page: https://pfsense.internal.DOMAIN.com/status_ipsec.php
So looking at the above... I don't expect them to work like this as only one of the clients can claim source port 4500 & destination port 4500.
Is there a way around this, or a limitation of IPSec?
-
Hmm the plot thickens on this....
When on Mobile Data today, my iPhone decided to use a random source port of 19604...
So it might have been the router/fw/edge device at the DC earlier which decided to map the source ports of outgoing IPSec to 4500?
-
Do you have hybrid or manual outbound NAT rules that setup static source port for 4500? That shouldn't be necessary and may be interfering with the clients.
NAT-T works fine with a randomized source port, so having outbound NAT preserve a static source port could break it for multiple clients.
-
@jimp said in 2 Clients Connecting from Same Public IP Fail:
Do you have hybrid or manual outbound NAT rules that setup static source port for 4500? That shouldn't be necessary and may be interfering with the clients.
NAT-T works fine with a randomized source port, so having outbound NAT preserve a static source port could break it for multiple clients.
I do not, but I suspect the provider at our DC does?
Reading up on it, it sounds like they’ve turned on some kind of IPSec pass through / helper feature on their side…which is not helpful!
