pfSense NAT 1:1 with Static IP not working

Schmarvin · December 16, 2025, 3:25pm

Hello all,

We have a Netgate appliance at a customer. It has two ISPs. For this particular instance, we only care about ISP A.

On our LAN Port 1, we have a customer device, I believe it’s a Meraki for their vendor.

Their AutoVPN works fine. But they want an IPSEC Site-to-Site VPN setup for their cloud server.

When plugging the Meraki in place of the Netgate it works. But behind the Netgate and with NAT 1:1 for the static IP, it does not work. It does reflect the proper public IP if they do a (What’s my IP). Internet and everything else works as well. But for some reason, it won’t route the IPSEC traffic.

xMAXIMUSx · December 16, 2025, 4:09pm

IPsec (IKE) does not handle NAT well, especially with 1:1 NAT. Even though the Meraki appears to have a public IP, pfSense still performs stateful NAT and packet inspection, which can interfere with ESP.

You have 3 options:

Option 1: Enable NAT-T on the Meraki (Preferred)
Option 2: Disable 1:1 NAT and Use Manual Outbound NAT Rules
Option 3: Use “Static Port” Outbound NAT for Meraki

Schmarvin · December 16, 2025, 4:18pm

Thanks for the options. Haven’t tried Option 1 or 2. But, Option 3 did not seem to work fully.