pfSense IPSec + Manual Outbound NAT - No Traffic via VIP
-
Hi,
I'm facing an issue where traffic doesn’t pass through an IPSec tunnel despite Phase 1 and 2 being up.Setup:
LAN Host: 172.16.0.25/22
VIP: 172.16.3.13 (IP Alias on LAN, added in Phase 2)
Phase 2 Local: 172.16.3.13/32
Phase 2 Remote: 192.168.31.4/32Outbound NAT Settings (Manual Mode)
Interface: LAN
Source: 172.16.0.25/32
Source Port: *
Destination: 192.168.31.4/32
Destination Port: *
NAT Address: 172.16.3.13 (VIP)
NAT Port: *
Static Port: Enabled/Disabled, tried bothProblem:
Tunnel up, but no traffic (0 bytes in/out)Remote peer expects traffic from 172.16.3.13 and has it whitelisted
From Pfsense Diag --> Ping --> I can ping 192.168.31.4 using Source as 172.16.3.13 (VIP)
From 172.16.0.25 I cannot ping, packet capture show no NATingFirewall Rules:
LAN Interface Rule:
Source: 172.16.0.25
Destination: 192.168.31.4
Protocol: Any
Action: PassIPSec Interface Rule:
Source: 172.16.3.13
Destination: 192.168.31.4
Protocol: Any
Action: Pass -
@enthu19 said in pfSense IPSec + Manual Outbound NAT - No Traffic via VIP:
Outbound NAT Settings (Manual Mode)
Interface: LAN
Source: 172.16.0.25/32This outbound NAT rule is pretty useless, since it is defined on the interface, which the source is connected to. Hence this rule conditions will never match.
Outbound NAT rule have to be defined on the outgoing interface.Anyway this cannot be solved with an outbound NAT rule. So you can securely remove it.
@enthu19 said in pfSense IPSec + Manual Outbound NAT - No Traffic via VIP:
Setup:
LAN Host: 172.16.0.25/22
VIP: 172.16.3.13 (IP Alias on LAN, added in Phase 2)Also remove the VIP. It isn't needed here.
Phase 2 Local: 172.16.3.13/32
Phase 2 Remote: 192.168.31.4/32Remote peer expects traffic from 172.16.3.13 and has it whitelisted
Edit the phase 2:
local network: address > 172.16.0.25
BINAT: address > 172.16.3.13 -
Big thanks @viragomann Your BINAT insight was the missing puzzle piece, tunnel’s up, traffic’s flowing, and packets are happy. Much appreciated!