<![CDATA[Port Forward from OpenVPN to IPSEC]]>Hi everyone,
Here's the situation: I'm managing a pfSense instance configured with three interfaces - WAN, LAN (192.168.190.0/24), and an OpenVPN setup for roadwarrior clients (172.16.0.0/24 subnet) with routing to the LAN.

I need enabling these OpenVPN clients to connect to a couple of hosts on a remote subnet (10.0.0.0/24), which is connected via IPSec Site-to-Site (S2S) between my pfSense and a firewall (let's call it FW02) owned by another company. Both 172.16.0.0/24 (OVPN) and 10.0.0.0/24 (IPSEC) are connected to the LAN interface (192.168.190.0/24) . There is no direct routing between OVPN and IPSEC. I thought I could link some hosts beetween the two with a Port Forward on the LAN, but so far my configurations have been unsuccessful.
Is a NAT/Port Forward feasible or do I absolutely need to route OVPN subnet through the IPSEC?

Can you please point me in the right direction?
The scheme would be:
OVPN -> LAN -> NAT/PAT -> IPSEC

Thanks

]]>https://forum.netgate.com/topic/183163/port-forward-from-openvpn-to-ipsecRSS for NodeSun, 14 Jun 2026 03:51:43 GMTMon, 02 Oct 2023 12:47:31 GMT60<![CDATA[Reply to Port Forward from OpenVPN to IPSEC on Mon, 02 Oct 2023 19:48:50 GMT]]>@viragomann That Worked!

Thanks a lot ✌

]]>https://forum.netgate.com/post/1128177https://forum.netgate.com/post/1128177Mon, 02 Oct 2023 19:48:50 GMT<![CDATA[Reply to Port Forward from OpenVPN to IPSEC on Mon, 02 Oct 2023 15:06:25 GMT]]>@Sysman said in Port Forward from OpenVPN to IPSEC:

I thought I could link some hosts beetween the two with a Port Forward on the LAN

This might work if also do masquerading on them. But this seems to be a dirty workaround.

Is a NAT/Port Forward feasible or do I absolutely need to route OVPN subnet through the IPSEC?

I assume, you have a policy based IPSec. So yes, it could be routed and natted over an additional LAN host, but the clean solution is to add a phase 2 for the OpenVPN tunnel.

If you cannot make changes the remote site you can try to nat the traffic in an additional phase 2 to an IP out of the LAN subnet, but this isn't accepted by all IPSec implementations.

]]>https://forum.netgate.com/post/1128141https://forum.netgate.com/post/1128141Mon, 02 Oct 2023 15:06:25 GMT