You’re getting into birthday paradox territory, throw a few hundred packets in each direction and one will get through
replyThis hs a good diagram to understand the options
https://rajsinghtech.github.io/claude-diagrams/diagrams/netw...
This is easily solved in your source NAT configuration on pfSense. It's a single checkbox to not randomize ports on outbound flows. This will enable full cone NAT.
replyYou can scope it to just your IPsec service, or whatever it is your hosting, or you can enable full cone for the whole subnet.
It is not DNAT, nor is it port forwarding. If you host a SIP proxy, SBC or peer to peer gaming, it will enable these use cases as well.
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html