VPN betwenn pfSense and dynamic client

  • Hi,

    i have a question, i want to do a IPsec connection betwenn my firewall and a mobile client, this could be behind a NAT. The question is, is this possible because pfSense doesn't support NAT traversal? Or is there any other way to do this?


  • Yep, it works great. The issue with NAT traversal is a client side one. In my case my router (Buffalo something, can't remember) has an option for IPSec NAT passthrough. Once I turned that on, I could dial out to my pfsense server at work without any problems.

    There's a tutorial explaining how to set up pfsense with a mobile client. It's from the perspective of connecting 2 pfsense boxes, but I had no trouble getting it to work with a 3com VPN router.

  • But a router would have an official ip, my problem is i would connect a notebook with an installed IPsec client behind a (NAT) router!

  • I connect from behind my PF-Sense box to my VPN and 3 other at this time with no issue.  Give use a little more detail.  That might be more helpful in getting to the root of your problem.

  • This is the situation:

    on one site there is my pf sense and i would connect to it with my notebook e.g. i connect to the internet on another internet accesspoint i would be able to access my LAN.


  • OK, given your wording I'm still not entirely sure your problem. It sounds like you're asking this:

    1. You have your pfsense server setup "normally", with a static IP.
    2. You want to connect to it via IPSEC, from other places, like home or an internet cafe.

    As I said, the configuration issue is with the router you are behind, when you're at home or at the cafe. It's not a question of the router's IP, it's the IPSEC NAT settings. If the router has been configured to pass IPSEC through the NAT, then it will work fine. Otherwise, no luck. That's a limitation with IPSEC, it's not NAT friendly, so the router your laptop is behind must be configured to pass IPSEC through NAT unhindered. Most routers have this option, some older ones won't.

Log in to reply