IpSec pass thru ports

  • Can someone tell me what ports are automatically created when "Automatic outbound NAT rule generation (IPsec passthrough included)" is enabled?  Presume this means that IpSec pass-thru requires an outbound Nat rule if set to Manual.  Already have a rule "WAN,any,,,,WAN address,,NO".

    Need to provide pass-thru of a few IpSec tunnels from Wan to Lan. It's the AT&T MicroCell debacle I'm trying to troubleshoot.  Microcells worked fine through the Snapgear SG580 applicance that PfSense recently replaced.


  • Determined an IpSec pass-thru solution to support AT&T microcell's behind a PfSense NAT, ver 2.1RC2.

    • Goto System, Advanced, Firewall, uncheck the "Disabled the PF scrubbing option…"
    • Add a WAN rule proto UDP from any to any dst port 500 (ISAKMP).
    • Add a WAN rule proto UDP from any to any dst port 4500 (Ipsec NAT-T).

    Hope this helps others.

  • Just another helpful tip should anyone encounter it.

    If you use the NTP service, and it stalls, the AT&T MicroCell will stop working, but the Sprint MicroCell will keep working.  Apparently AT&T's unit demands a time sync.  The NTP service might say it's running but a packet capture will show a flood of unanswered port 123 traffic on the LAN.

    How did the NTP service stop working, you ask?  Since NTP service beats Unbound to the clock on bootup, NTP never starts unless manually started. The log reports, NTP could not resolve hostname.  So I figure I'll use an IP addy for the NTP server address so it won't have to resolve.  Well can you believe time.nist.gov IP addy changed a couple days ago?  This locked up the NTP service, which broke all Microcells on the network.

    Nice eh…

    ver 2.1R-64b

Log in to reply