PFSense 2.1 feature question: NAT before IPsec (1:1 or many:1) outbound

  • Hello,

    Noticed with the release of 2.1 there is a new feature "NAT before IPsec (1:1 or many:1) outbound". If I'm interpreting this feature correctly, I think this may mean I can run one box under 2.1 instead of two as we are with 2.0.1.

    Reason we have two PFsense boxes is so we need to do NAT over IPSEC VPN. Our servers have private IPs but the other end of the IPSEC VPN only supports public IPs so extra PF box just does NAT as a work around for IPSEC VPN because it doesn't support public IPs at the endpoints.

    Can 2.1 now do what we want with one box?

    Best Regards,


  • Rebel Alliance Developer Netgate

    Most likely, yes, it can be done on a single box. In practice is depends on exactly how you need to handle inbound connections (if there are any).

    If you NAT everyone to a single public IP inside the tunnel and all of the connections go from you to the far side, then it works fine. If you need to do port forwards on that public IP back to hosts inside your network, then maybe not.

Log in to reply