Remote Office IPSEC with NAT

  • Hi There, (there is a link below to a crudely drawn network diagram),,,

    I followed a couple of the step-by-steps on the pfSense site, and read a lot in the forums, but I’m having one problem still. See the network diagram. First, although I can’t explain why, I cannot make changes to “Router A” at this time. I am trying to setup connectivity for a new remote office at location C. I have created Router B which has one foot in the subnet, and one foot in the public internet with a static IP. The Router A has many subnets attached, all routed with various rules in a reasonably high security environment. Normally the users are in the subnet, but they often traverse to the subnet (there are not ACL’s between the two subnets).

    I have created an IPsec tunnel between Router B and C. Anything attached to the subnet can access anything on the subnet, and the reverse is also true. I have created a static route on Router A to send anything destined for to

    There is a static route on Router B pointing anything destined for to Router B can access stuff on subnet, however any device on the subnet cannot even ping Router B’s LAN interface

    Additionally, nothing on the subnet can get to the subnet.

    I need things on the subnet to be able to get to the subnet.

    On Router B, I have three gateways, the Public IP #2 defined as its WANGW, another gateway called “10dotgw” pointing to, and a “remoteoff” gateway pointing at (its own LAN interface). Routes (as mentioned) exist for the using the 10dotgw and using the remoteoff gateway.

    On Router C I have two gateways, the default WAN (DHCP) and “tunnel” pointing to (its own LAN interface). Routes on C are using “tunnel” and also using “tunnel”.

    I have Manual NAT set on both Router B and C. On Router B I have added an outbound NAT rule for using the equivalent of an any/any using the LAN address as the NAT address. On Router C I have the same, but the source is

    For firewall rules, I have any/any rules for both the LAN and IPsec, and just for good measure, I created a floating rule equivalent to an any-any.

    What it comes down to is I am obviously missing something, but I can’t figure out why I can ping from Router B to the subnet, but I can’t ping the interface from that subnet. I think I need a NAT rule on Router B and maybe a different route, I’m just not sure what it should look like.

    And then secondly, I don’t know how to setup access from the subnet to the, but I suspect if I answer the question above, this might just start working.

    Please let me know if I can provide any more information.

    With regards,


Log in to reply