IPSec No traffic passed from LAN but traffic passed from router

  • I have an IPSec tunnel setup between my WAN IP –> WAN IP in PFSense if I ping the remote WAN IP from the router I can pass traffic as expected however from the LAN I can not pass any traffic to the far side WAN

    Current Config:
    PFSense 2.0 Beta 5
    Router WAN 173.x.x.x
    Router LAN
    Router IPSec Config
    Remote Gateway 67.x.x.x
    Local Subnet 173.x.x.x/28
    Remote Subnet 206.x.x.x/24

    Trying to do LANPC(192.168.50.x) --> PFSense( --> IPSec(206.x.x.x) = No Traffic

    PFSense(cmd ping -S 173.x.x.x 206.x.x.x) --> IPSec(206.x.x.x) = Traffic
    PFSense(cmd ping -S 206.x.x.x) --> IPSec(206.x.x.x) = No Traffic

    I am thinking I will need to add an additional NIC and a new PFSense box that is not NAT'ing and bring the connection up on that box then do a rule on the NAT'ing box to point to that interface when I need to talk to the remote WAN but I am not sure if that is the right way to go or if I can somehow do this inside this single config.

    Any help would be awesome.


  • Have you set up a rule under IPsec to allow all traffic?

  • I do have a rule setup however it is still not passing any traffic if the traffic originates from the LAN interface only of the traffic is generated from the PFSense box it's self

  • How is are your NAT rules setup?

  • Rebel Alliance Developer Netgate

    Is the pfSense box the gateway for the systems on LAN? If you do a packet capture on LAN do you see the traffic from the local machines coming in LAN and still not hitting the tunnel?

  • That is correct the PFSense box is the gateway for the LAN

    Config was PFSense Box
    NIC1 WAN1 – VPN to Public Network
    NIC2 WAN2 -- Load Balance to WAN1
    NIC3 LAN -- Internal Network

    Yes I was able to see the packets on the LAN side but they always tried to go out the WAN1 interface not the IPSec tunnel - I have added a 2nd PFSense Box now and it's working as expected

    New Config

    Original Box
    NIC1 = WAN1 (/28 Network Public)
    NIC2 = WAN2 (/28 Network Public)
    NIC3 = VPN Link (/30 Network Public)
    NIC4 = LAN (/24 Network Internal)

    2nd Box
    NIC1 = WAN1 / VPN Public (/28 Network Public)
    NIC2 = VPN Link to 1st Server (/30 Network Public)

    Now when I send traffic to that subnet I added a rule to send all traffic out VPNGW on the 1st router and it's passing it to the VPN box (2nd router) then passing along to the VPN Subnet as expected

Log in to reply