Pfsense with Nat+ipsec pinging in one direction onlu

  • Hi,

    Sorry if this has already been asked and solved, but i just can't seem to find the answer ….

    Here's my setup  2 pfsenses with an IPsec tunnel between them.

    The first has 3 interfaces, WAN, DEMO & Inside. Wan goes to the wide and woolie internet and has a Nat on it, Demo is a set of machines that are accessible through the WAN Nat, and inside points into my network and also has a nat on it.

    The second has two interfaces, WAN and inside with multiple networks hiding behind a router attached to inside.....

    The IPsec tunnel goes from #1-inside to #2-WAN, comes up and I can ping from #2 local network to addresses on #1-Demo.
    I cannot ping in the reverse direction ... weird as if ICMP can normally flow in one direction and get back then it should flow the other way to  >:(

    So a little more on my setup, #1 has 3 interfaces, Wan has a dfgtway that points out to the internet, Inside has a dfgtway that points to a router inside my network, and Demo doesnot have a dfgtway defined. The systems that on the Demo interface have their default gtway pointed at the ip address of the Demo interface.

    When I do a trace route from the systems attached to demo, for a network that lives on the other side of the IPSEC vpn, pfsense #1 is trying to resolve that network through the WAN interface, which to me seems to be broken as I would have thought that pfsence should know that that network is locally attached at the other end of the VPN ....

    addressing ....

    #1 WAN is x.y.z.a and points to x.y.z.1 , LAN is, Demo is
    the systems on #1 demo are through 100 with dfgtway of
    #2 Wan is with dfgateway, Lan is with dfgateway
    there is a device that lives at that it can ping through can't return the favour and ping the device at
    the IPsec vpn goes between #1 LAN @ to #2 WAN @ with the map showing -->
    of course the reverse is the reverse ... with map -->
    The tunnel comes up and like i said I can ping from to

    What am i missing ?
    Is it the default gateway on the #1 Demo, is it a static route, which i've tried but doesn't seem to make any difference ?
    is it because the IPsec vpn on #1 inside is on the other side of the NAT and therefore I need to set up a virutal IP, and if so how the heck can I ping inbound & get an answer ?

    pulling my hair out now ...


  • A quick update, moving the icmp filter above the tcp/upd filter resolved the problem and now traffic goes both ways.

    How for another twist, I added a second IPSec tunnel to and now I'm back to the same type of symptoms on this link. But a little more strange ….

    From a workstation at I can ping all the time, if I stop that and ping the ping never gets through the VPN.... Now if I start a ping from and let it run for a while, then all of a sudden the reverse ping starts to work....if I stop the reverse and ping, stop it and then ping it doesn't complete, and then after about 30 - 40 secs.. It starts again

    Could this be an arp, routing problem, or a IPSec tunnel problem ?