Tunnel with VIP NATed to local IP

  • Hi

    I have configured an IPSEC tunnel between a pfSense 2.0 box on my side and a Cisco router on the customer's side:

    My Local IP <-> local pfSense (WAN<-> remote pfSense (WAN <-> Customer's remote IP

    Obviously the IP addresses and are not the real one.
    The tunnel worked without any problem up to now.

    The problem is the following. The Customer told me that their security policies do not permit anymore to use the private networks, and as remote subnets for the tunnel.

    He asked me to use another public IP as remote LAN and to NAT that IP to the internal IP.
    This is what he did on his side:

    My remote IP <-> my pfSense <-> remote pfSense (WAN <-> remote IP -> NAted to IP

    In other words, when I open a RDP connection to the remote IP, the connection is forwarded to

    I have one more public IP available (, but I do not figure out how to do it on my side.

    1. Do I have to create a Virtual IP on the WAN interface for my second public IP? If so, do I have to choose "Proxy ARP" or "IP Alias"?
      It seems that I cannot use the WAN interface as my Local network. In fact, if I go to the Status -> IPsec page, I am not able to start the tunnel. There is not the "play" icon.

    2. Once the tunnel is UP, how do I forward all the traffic from to the local IP I am very confused on understanding what rules I have to work with (WAN, LAN, IPsec?) together with the NAT 1:1 configuration.

    I have tried in many ways but without success.
    Any help will be appreciated
    Thanks in advance


Log in to reply