pfSense

Hello,
NAT rules don't get correctly triggered with packets being routed from OpenVPN remote clients to IPsec tunnels.

To reproduce (this is my particular configuration):

• Interface LAN: 10.42.2.1/16
• Interface ADSL: 192.168.197.2/30 (behind NAT)
• IPsec Phase 1 to remote host with Phase 2 from LAN subnet to 192.168.40.124/32
• OpenVPN remote access server, subnet topology with addresses 10.43.0.0/16
• Outbound NAT rule on the IPsec interface with 10.43.0.0/16 source and 192.168.40.124/32 as destination, translating to the virtual LAN IP address 10.42.1.11 that I configured on the appropriate page

When OpenVPN clients try to communicate with 192.168.40.124 the firewall logs one of the automatic ADSL rules being triggered. This results in the packets getting dropped.

I noticed this in pre-production, but I also reproduced it in virtual machines a few weeks ago (I'm sorry, I cannot share the virtual machine images because of company policy -- I can help you reproduce the scenario if you need).

I suspect pfSense may be getting confused because NAT on IPsec interfaces is (apparently) handled differently than NAT on other interfaces. As it is apparent, using the IPsec NAT configuration options is not enough for this use case.