IPsec and NAT - pfsense 2.2.4 - both Outbound and Port Forward

  • Hi,

    I am sorry if information relating to this issue is already available etc., my searching has not yet turned up answers.

    The history to this question is that I am currently attempting to replace some existing Snapgear routers (which have been through various name changes along the way) with pfsense. To some extent the network architecture is fixed due to the existing equipment, so some of my options are restricted - or will involve significant work to alter a much larger environment.

    Version Info

    2.2.4-RELEASE (amd64)
    built on Sat Jul 25 19:57:37 CDT 2015
    FreeBSD 10.1-RELEASE-p15

    running under VMware ESXi 5.5 with the open-vm-tools-nox11 package

    Outbound NAT

    I have existing IPsec tunnels with a local network of and I need to make sure that all traffic that leaves via the tunnels has a source address within this space. Obviously, traffic that already has a source address from the space is fine, the problem is traffic that is coming from somewhere else needs to be Outbound NATed.

    I have to admit that no matter how I read the documentation I can't work out whether the NAT/BINAT option in the IPsec Phase 2 will do what I want. From experimentation it doesn't appear to, but I may have misunderstood how to use this facility.

    The existing infrastructure (SnapGear) permits me to configure an outbound NAT rule and this works exactly as expected. However, with pfsense the Outbound NAT doesn't work - and as far as I can read on the net this is 'normal'.

    Currently I have deployed a 2nd pfsense to do the NAT for me and this does work fine, at the expense of some traffic taking a longer path. Traffic with an 'inappropriate' source address I router to the auxiliary copy of pfsense, which then does the NAT and sends the traffic back.

    Is there some other way to actually arrange for the Outbound NAT of traffic for the destination of the IPsec tunnel within pfsense?

    Inbound NAT

    Looking at traffic that arrives via an IPsec tunnel, I need to Port Forward some traffic. So, for example. if traffic arrives for (continuing the addressing example of the previous info) I want the traffic to go to

    So I add a NAT/Port Forwarding rule for the IPsec interface, specify the mapping from to

    When I test I find that the NAT does take place and the traffic leaves and reaches, which then replies, and the reply reaches pfsense (as shown on a packet capture within pfsens).

    The problem is that the reply does not appear to be un-NATed and return via the IPsec tunnel. In fact I can't find out where the return traffic goes, it doesn't appear in any of the firewall logs as dropped, it just arrives and then 'disappears'.

    Is this sort of Port Forwarding supposed to work for inbound IPsec traffic?

    I don't have a work-around for this issue yet, although I can think of a solution if I restructure my design and use two pfsense firewalls.