IPSec No traffic passed from LAN but traffic passed from router

  • I have an IPSec tunnel setup between my WAN IP –> WAN IP in PFSense if I ping the remote WAN IP from the router I can pass traffic as expected however from the LAN I can not pass any traffic to the far side WAN

    Current Config:
    PFSense 2.0 Beta 5
    Router WAN 173.x.x.x
    Router LAN
    Router IPSec Config
    Remote Gateway 67.x.x.x
    Local Subnet 173.x.x.x/28
    Remote Subnet 206.x.x.x/24

    Trying to do LANPC(192.168.50.x) --> PFSense( --> IPSec(206.x.x.x) = No Traffic

    PFSense(cmd ping -S 173.x.x.x 206.x.x.x) --> IPSec(206.x.x.x) = Traffic
    PFSense(cmd ping -S 206.x.x.x) --> IPSec(206.x.x.x) = No Traffic

    I am thinking I will need to add an additional NIC and a new PFSense box that is not NAT'ing and bring the connection up on that box then do a rule on the NAT'ing box to point to that interface when I need to talk to the remote WAN but I am not sure if that is the right way to go or if I can somehow do this inside this single config.

    Any help would be awesome.


  • Have you set up a rule under IPsec to allow all traffic?

  • I do have a rule setup however it is still not passing any traffic if the traffic originates from the LAN interface only of the traffic is generated from the PFSense box it's self

  • How is are your NAT rules setup?

  • Rebel Alliance Developer Netgate

    Is the pfSense box the gateway for the systems on LAN? If you do a packet capture on LAN do you see the traffic from the local machines coming in LAN and still not hitting the tunnel?

  • That is correct the PFSense box is the gateway for the LAN

    Config was PFSense Box
    NIC1 WAN1 – VPN to Public Network
    NIC2 WAN2 -- Load Balance to WAN1
    NIC3 LAN -- Internal Network

    Yes I was able to see the packets on the LAN side but they always tried to go out the WAN1 interface not the IPSec tunnel - I have added a 2nd PFSense Box now and it's working as expected

    New Config

    Original Box
    NIC1 = WAN1 (/28 Network Public)
    NIC2 = WAN2 (/28 Network Public)
    NIC3 = VPN Link (/30 Network Public)
    NIC4 = LAN (/24 Network Internal)

    2nd Box
    NIC1 = WAN1 / VPN Public (/28 Network Public)
    NIC2 = VPN Link to 1st Server (/30 Network Public)

    Now when I send traffic to that subnet I added a rule to send all traffic out VPNGW on the 1st router and it's passing it to the VPN box (2nd router) then passing along to the VPN Subnet as expected