PfSense VPN router behind a Tomato router

  • Quick summery of what im trying to accomplish
    Im testing a Netgate pfSense router at home and wish to connect it behind my Shibby Tomato router as not to disrupt my normal home network set up. The VPN will be connected to my corporate location. I have configured the tunnel and have it working if the pfSense router is the gateway. The issue I have now is when I put the pfSense router behind my home tomato router, the VPN on both ends shows connected but I cannot ping the corporate network from the workstation at home I have connected to the pfSense router likewise from corporate to the pfSense subnet.

    Overview of network
    Motorola DOCSIS 3.0 Modem (

    Router 1 "Gateway" (
    Shibby Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB Big-VPN
    Static Route to pfSense router
    Destination Gateway / Next Hop Subnet Mask Metric Interface 0 br0 (LAN)
    I have also put in a DMZ in hope to open op all ports to the pfSense router
    NAT is set to ALL > MASQUERADE
    DHCP for the network and DNS is handled by my Windows server for the devices in my home.

    Router 2 "pfSense" (LAN
    WAN IP
    DHCP scope -
    1 Workstation connected to the LAN (
    VPN to corporate shows a connection in pfSense on both ends but can not assess or ping either way
    Corporate is fine as it the other locations currently have a working VPN and I connect fine when the pfSense router is the gateway.
    Firewall has been opened to allow ANY connection on the WAN

    I can ping from the network to the network
    I can ping from the network to the network
    I CAN NOT ping from the network to the network (corporate)

    netstat -rn from the pfSense router
    Routing tables

    Destination Gateway Flags Refs Use Netif Expire
    default UGS 0 347005 re1 link#3 U 0 800027 re2 link#3 UHS 0 0 lo0 link#14 UH 0 36 lo0
    173.XXX.64.XXX UGHS 0 5273 re1 link#2 U 0 19842 re1 link#2 UHS 0 0 lo0

    Destination Gateway Flags Netif Expire
    ::1 ::1 UH lo0
    fe80::%re0/64 link#1 U re0
    fe80::20d:b9ff:fe33:8758%re0 link#1 UHS lo0
    fe80::%re1/64 link#2 U re1
    fe80::9644:52ff:fea6:e6f3%re1 link#2 UHS lo0
    fe80::%re2/64 link#3 U re2
    fe80::20d:b9ff:fe33:875a%re2 link#3 UHS lo0
    fe80::%lo0/64 link#14 U lo0
    fe80::1%lo0 link#14 UHS lo0
    ff01::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
    ff01::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
    ff01::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
    ff01::%lo0/32 ::1 U lo0
    ff02::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
    ff02::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
    ff02::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
    ff02::%lo0/32 ::1 U lo0

    netstat -rn from the Tomato router
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface UH 0 0 0 vlan2 UG 0 0 0 br0 U 0 0 0 br0 U 0 0 0 vlan2 U 0 0 0 lo UG 0 0 0 vlan2

    VPN is IPsec and as I said the testing pfSense router and the Corporate pfsense router show the VPN tunnel is connnected

    So now im suck. I thought the static route would allow packets through to the pfSense router but no luck. Im thinking its a NAT issue but im not sure. Any help would be appreciated. Thanks.

  • I am having a similar problem, however my IPSec tunnel shows up on the "remote/host" pfSense box, but not on the "local/client".  On the client, I am behind a Cisco DPC3825 so I can't take it out of the loop and make the pfSense box the 1st smart device on the network.

    Even when the remote shows the tunnel up, I do not see a route to my local network in the routing table.  The local network does not have a route to the host.  I know the local network tries to use the tunnel because when I do a traceroute to the remote network it hits the firewall and then gets * * *.  When I disable the tunnel the traceroute goes out the front door.

    In the client log, I see bi-directional communication with the host on ports 500 and 4500.  There are no errors, but no traffic.

  • It looks like it is working now; had to turn off NAT on the IPSec interface because of the double NATting.  Failed to mention that client is running 2.2-Alpha an host is 2.1.4.  2.2 has a V1 or V2 option for IKE.  I was using V2 it needs to be V1.  Also, the IPSec widget on 2.2 does not report the tunnel up, when it is.  Even when the tunnels are up neither end shows a route in the routing table.

Log in to reply