Netgate pfSense certified firewall and VPN Appliance - VPC User Guide

The Netgate pfSense Certified firewall and VPN appliance for Amazon EC2 is a stateful firewall and VPN appliance. In addition to it's capabilities as a VPN gateway and firewall for users and offices, it is capable of acting as a firewall to protect instances providing services in Amazon's Virtual Private Cloud or VPC service. This service differs from the classic EC2 service in that it allows for management of instances on private subnets.

This guide will explain how to launch, manage, and use an instance of the appliance to act as a gateway for other instances in a VPC subnet.

Preparing your VPC:

In order to use a Netgate appliance instance to protect your VPC subnets, you will need the following:

  • One internet-facing subnet, which the Netgate appliance instance will have it's primary/WAN interface connected to.
  • One or more private subnets, which the Netgate appliance instance will have it's secondary/LAN interface (and possibly additional optional interfaces) connected to.
  • Separate routing tables for the internet-facing subnet and the private subnet(s)

If you already have all of these in place with an existing VPC, feel free to skip ahead to Launching an Instance.

These instructions will demonstrate how to create a single private subnet and set it up behind an instance of the Netgate pfSense Certified firewall and VPN appliance. In the Amazon VPC Management Console, create a new VPC, subnets, and routing table(s).

  1. Go to the Your VPCs view in the menu on the left side of the VPC Management Console under the Virtual Private Clouds grouping. Click the Create VPC button.
  2. Create VPC

  3. Enter a CIDR block to use in the box that pops up. If you will connect to hosts in your VPC using a VPN from hosts at other sites in your infrastructure, be sure to select address space that does not conflict with the private address space used elsewhere by your organization. Make sure the block you choose is large enough to contain all subnets you may want to include within it. E.g. if you plan to use a /24 for your internet-facing subnet and a /24 for your private network, the CIDR block you select here will need to be at least a /23 to hold those 2 subnets. The maximum size block you can select is a /16. For the purposes of this example, we will use 10.2.0.0/16. Leave the value of Tenancy set to Default. Click on the Yes, Create button.

    VPC CIDR block

  4. To create the subnets required, go to the Subnets view in the menu on the left side of the VPC Management Console. Click the Create Subnet button. Select the VPC you just created and choose the availability zone you desire. Enter the subnet you wish to use for the internet-facing hosts in the CIDR Block field. This subnet will be the one that the WAN interface of the Netgate appliance instance is attached to and could include any other hosts or appliances that you wish to be available directly from the Internet and not protected behind the Netgate appliance. The subnet you select here must be a block that is within the address space you assigned to the VPC. For this example, we will use 10.2.0.0/24. Click on the Yes, Create button.
  5. Public Subnet

  6. Create the private subnet. Still in the Subnets view of the VPC Management Console, click the Create Subnet button. In the box that pops up, select the appropriate VPC and the same Availability Zone that you assigned to your public subnet. Enter the subnet you wish to use for your private network in the CIDR Block field. This network should be a subnet of the address space you assigned to the VPC and should be distinct from the subnet you assigned to the public subnet. For this example, we will use 10.2.1.0/24. Click on the Yes, Create button
  7. Private Subnet

  8. Both subnets that you created will have been created to use a default route table that was created for the VPC. The private subnet can continue to use that default table. A new route table will need to be created for the public subnet. Go to the Route Tables view in the menu on the left side of the VPC Management Console. The single existing route table should be displayed. Click on the Create Route Table button. Select the VPC and click on the Yes, Create button.
  9. Create Route Table

  10. Associate the public subnet (10.2.0.0/24 in our examples) with the routing table that was just created. Go to the Subnets view on the left hand side of the VPC Management Console. Check the checkbox next to the public subnet and scroll down to look at the Details tab for that subnet. At the top of the Details tab will be listed the CIDR block, VPC, and Availability Zone. Under those items, the Route Table will be listed and will have a link labeled replace next to it. Click on the link. Select the route table in the box that pops up and click on the Yes, Replace button.
  11. Replace Route Table

  12. In order to send traffic from the public subnet to the Internet, we will need to add a default route to an Internet Gateway. We must first create one. Go to the Internet Gateways view in the menu on the left hand side of the VPC Management Console. Click on the Create Internet Gateway button. Click the Yes, Create button on the box that pops up. Click the checkbox next to the new Internet Gateway and then click the Attach to VPC button. Select the VPC and click on the Yes, Attach button.
  13. Attach IG to VPC

  14. The route table for the public subnet will need to be updated so that it has a default route to the Internet Gateway. Go to the Route Tables view on the left hand side of the VPC Management Console. Check the checkbox next to the route table for the public subnet. Under the Routes tab for that route table, there should only be listed a single route for the CIDR block of the VPC (10.2.0.0/16 in our example) that has a target of local. There is a row underneath this route with a text box in the Destination field and a pop up menu for the Target field. Enter 0.0.0.0/0 for the Destination and select the Internet Gateway (should be formatted like igw-XXXXXXXX) for the target. Click on the Add button that appears at the right side of the row. Click the Yes, Add button on the box that pops up.
  15. Add Default Route

There are a few more VPC configuration changes that will be required later, but next you must launch a Netgate appliance instance.

Launching an Instance:

In the Amazon EC2 Management Console, launch a new instance of the Netgate pfSense certified firewall and VPN appliance. This process is the same as the one for launching an EC2 (non-VPC) instance until you reach step 11, which details values that you can enter for the Configure Instance Details screen to specify the instance should be created in your VPC.

  1. Select the region you wish your instance to run in using the tab at the upper right corner of the page.
  2. Region Selection

  3. Launch a new instance by clicking on the Launch Instance button under the Create Instance section of the EC2 dashboard.
  4. Launch Instance

  5. Select AWS Marketplace on the Create a New Instance menu. Type Netgate pfSense certified in the search box and press enter (or click on the Search button next to the text box).
  6. New Instance Wizard

  7. Click on the link for the Netgate pfSense certified firewall and VPN appliance in the search results.
  8. Search Results

  9. Click on the Continue button on the info page for the Netgate pfSense certified firewall and VPN appliance.
  10. Continue Instance Launch

  11. Click on the Launch with EC2 Console tab
  12. Launch with Console

  13. If you haven't previously accepted the license terms, click on the Accept Terms button.
  14. Accept Terms

  15. A message should be displayed indicating that your subscription is being processed.
  16. Subscription Processing

  17. Select the version of the image to run under the popup menu labeled Select a Version. Generally the most recently issued version should be selected. Identify which region you wish to launch the instances in and click on the Launch in EC2 Console button to the right of that region
  18. Select Version and Region

  19. Choose the instance type you wish to run on. Click Next: Configure Instance Details.
  20. Choose Instance Type

  21. On the Configure Instance Details page, under the Network field, select the VPC you created. For the Subnet field that appears right below the Network field, select the public subnet you created earlier. In our examples, this is 10.2.0.0/24.
  22. Configure Instance Details VPC

  23. Scroll down to the Network Interfaces heading. A single interface named eth0 should be displayed by default. Click on the Add Device button underneath eth0. Select the private subnet that was created (10.2.1.0/24 in our example). Pick an IP address within the range of the private subnet and enter it in the IP address field. Keep in mind that the first 3 or 4 IP addresses are reserved. For this example, we will use 10.2.1.5.
  24. Instance Details Network Interfaces

    You can optionally expand the Advanced Details section and set parameters as text in the User Data field. The available options are:

    • password - setting a value via a directive like password=abcdefg will set the password for the administrative account to the value you specify - abcdefg in this example. If no value is set here, a random password will be assigned in order to keep administrative access from being exposed to the internet with a default password.
    • mgmtnet - setting a value via a directive like mgmtnet=10.0.1.0/24 will restrict management access (http, https, ssh) to the network you specify - 10.0.1.0/24 in this example. This will cause the firewall rules on the instance (not on Amazons access lists, but on the Netgate appliance's own firewall) to restrict management traffic for the instance to the specified source network. The default behavior is to allow management from any host.
    • These directives can be set by placing them on a single line in the User Data field and separating them with colons. If you wanted to specify both parameters, you could do this by typing a statement similar to this one:
    password=abcdefg:mgmtnet=10.0.1.0/24
    

    Click Next: Add Storage after optionally setting these parameters.

    Note: If you set a password using the password parameter listed above, the password is retrieved by the instance via an unencrypted HTTP request when the system is configured the first time it boots. The request is made to an Amazon Web Services-operated server on the local LAN that stores metadata about each instance running. The data for an instance is only made available to that instance, but is available to be queried from the instance without providing any authentication credentials. It is advised that you change the admin password via the pfSense web GUI after the instance comes up if you judge this to be an unacceptable security risk. Or you may choose not to set the password at all and let a random password be set.

    Instance Details

  25. Click Next: Tag Instance to accept the Storage Device Configuration.
  26. Storage Devices

  27. Optionally, a tag can be set on the instance to differentiate this instance from other VM's you have started by entering a value for the Name tag. Click Next: Configure Security Group after setting any desired tags.
  28. Instance Details Tags

  29. Select a security group to launch the instance with. The recommended settings for a security group should allow at least the following traffic:
    • TCP port 443 from 0.0.0.0/0 - HTTPS - This is the port that the management web GUI listens on.
    • TCP port 22 from 0.0.0.0/0 - SSH - This port can be used to connect to a command prompt with an ssh client.
    • UDP port 1194 from 0.0.0.0/0 - OpenVPN - The OpenVPN server that is configured by default is bound to this port.
    • UDP port 500 from 0.0.0.0/0 - IKE for IPsec VPN.
    • UDP port 4500 from 0.0.0.0/0 - IPsec/NAT-T for IPsec VPN.

    Security Group

    If you have an existing security group that includes this access, select Select an existing security group, then select the group(s) you want to use and click Continue. Otherwise, select Create a new security group, and add rules for this access by filling in the form for each rule and clicking the Add Rule button. When all of the rules have been added, click Review and Launch.

  30. Verify the details for the instance and click Launch.
  31. Launch Final

  32. Select an existing key pair or create a new key pair to connect to the instance with. Do not select Proceed Without a Key Pair. Click the checkbox that indicates that you acknowledge that you have access to the selected private key file and then click Launch Instance.
  33. SSH key pair

  34. In order to reach your instance from the Internet, you will need to associate an Elastic IP with the WAN interface of the instance. In the VPC Management Console, go to the Elastic IPs view by clicking on Elastic IPs on the left side of the page. Click on the Allocate New Address button. Select that you want the EIP used in VPC and click on the Yes, Allocate button in the box that pops up. After the Elastic IP address is allocated, associate the address with the WAN interface of the Netgate appliance by clicking on the Associate Address button. A box will pop up that will either let you specify the instance and Private IP address of the interface or the Network Interface and the Private IP Address of the interface. Use one of these methods to select the correct interface and click on the Yes, Associate button. You should now be able to reach the instance via ssh or https.
  35. Associate EIP

  36. In order for traffic to be allowed to be routed from the private subnet through the public interface of the instance, the Source/Dest Address Check on the private interfaces needs to be disabled. In the EC2 Management Console, go to the "Network Interfaces" view by clicking on Network Interfaces in the menu on the lefthand side of the page. Click the checkbox to the letft of the private/LAN interface on the Netgate appliance instance. Click on the Actions button at the top of the page and select "Change Source/Desk Check" on the popup menu. Select the radio button labeled "Disabled" on the box that pops up and click on the "Save" button. Non-local traffic from the private subnet should now be sent through the private/LAN interface on the Netgate appliance instance.
  37. Change Source/Dest Check

Managing the Configuration of the Instance:

Once the instance is launched, you can connect to it via the Elastic IP that was attached to the primary interface during the provisioning phase.

In order to manage the configuration of the instance, you can connect to it via https or ssh. To connect via ssh, you would use the key pair you chose while creating the instance to connect to the admin account. From the command line on a Unix/Linux host, you would use a command similar to ssh -i my_key_file admin@public_IP, where the appropriate private key file and public IP or hostname are substituted. In the example below, the key file my_ec2_key is used to connect to the IP address 23.20.204.54. Note that the first time you log into your instance, the ssh key of the instance will not be cached on your computer and you will need to type yes when asked whether you want continue connecting. This should not be necessary on subsequent sessions.

SSH session

A limited set of configurations is possible through the ssh interface. The preferred method for managing most of the configurations or viewing data on the status of the Netgate pfSense instance is through the https web GUI. To connect via https, you would enter an https:// URL containing the public IP address or hostname of your instance into a web browser. For example, https://23.20.204.54. It's very likely that you will receive a browser warning indicating that the security certificate of the site is not trusted. This is because the instance uses a self-signed certificate for https communication. You should click on the option to proceed to the site anyway. A login screen with the Netgate logo should appear.

Login screen

The username to log in with is admin. The password to use is either a value that you set in the User Data during the creation of the instance or a random password. If you did not set a specific password, you can find out that value that the random password was set to through one of 2 different means. The first is to log in over ssh with the key pair that you selected when the instance was created and examine the contents of the file located at /etc/motd. You would do this by selecting option 8 (Shell) from the console menu that is presented when you log in and executing cat /etc/motd from the shell. Alternatively, you can view the System Log for the instance in the EC2 Management Console. After the messages that are displayed that show the status of the boot process, a message should appear that indicates what the administrative password was changed to.

The message you should look for using either of the methods mentioned about will look like this:

***
***
*** Admin password changed to: abcdefg
***
***

In this example, the password was changed to abcdefg.

Be aware that the System Log output in the EC2 Management Console is not updated in real time and may take a few minutes to show up. It is preferable to explicitly set a password by passing a value in with the User Data field so the password will be known in advance. If you want to allow a random password to be set, you should be able to connect via ssh and find out what the password was changed to after the instance is up without any delay.

Once you've determined your password and entered it into the login form, the pfSense Web GUI should be available to you.

Forwarding traffic from VPC subnets through the instance:

Some additional configuration is required within the Netgate appliance instance pfSense web GUI before you are able to manage traffic from the private subnet.

  1. Log into the Web GUI.
  2. Click on the Interfaces heading on the left and then click the Assign link
  3. Click on the + icon to add a new Interface under the Interface assignments tab. A LAN interface should automatically be added with the next available network interface (xn1)
  4. Click on the Interfaces heading on the left again and then click on LAN. Click the checkbox to enable the LAN interface. Set the IPv4 Configuration Type to Static IPv4 and enter the IP address you assigned to the 2nd interface during the provisioning phase. Click the Save button.

Now, you can create instances attached to your private subnet and protect them with the firewall on your Netgate pfSense Certified appliance instance. Here are some common ways that you might wish to manage these hosts:

  • If you wish for your private hosts to be able to connect to the Internet, you can allow any traffic from the LAN in your firewall rules. There should be a rule like this in place by default. You will need to set up NAT rules to cause addresses in the private subnet to be NATed to the IP address of the WAN interface. Under the Firewall heading on the left, click on the NAT link. On the Outbound tab click the radio button for Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) and click on the Save button. There is an existing NAT rule configured by default that uses the alias Networks_to_NAT. Click on the Aliases link under the Firewall heading on the left. Add your private subnet to the Networks_to_NAT alias.
  • If your hosts should only contact each other and a private network segment elsewhere, you can configure an IPsec or OpenVPN tunnel from your remote networks to the Netgate appliance instance and set up the appropriate firewall rules, routes, and security policies to allow access to your private subnet through a VPN tunnel.
  • If you wish to enable direct inbound access from the internet to hosts on the private subnet, you can set up port forwarding on the WAN interface to direct traffic to particular hosts in the private subnet.

Establishing a VPN connection to a VPC in another region:

If you wish to establish a VPN to allow instances on the VPC subnet(s) that sit behind your Netgate appliance to communicate with instances that reside in a VPC in another region, the Netgate appliance has a configuration wizard that will assist in accomplishing this by configuring both the Netgate appliance as well as the VPC configuration elements that would normally have to be set manually through the AWS Management Console. For detailed instructions, please see the AWS VPC Wizard user guide.

Upgrading to a newer version:

Periodically, new releases of the AMI are issued. This is usually to track new releases of pfSense that may provide new functionality, bug fixes, and security updates. There is not a "live update" procedure that can be applied to a running instance currently. This is because of the limited ability to rescue an AWS instance if errors or corruption occur during a live upgrade. Since there is no physical or out-of-band access available to an AWS instance, the lower risk approach of bringing up a new instance alongside the existing one and executing a cutover is the appropriate choice.

These instructions detail the procedure for moving your existing instance to an upgraded instance.

  1. Back up the configuration of your exsting instance by navigating to Backup/Restore under the Diagnostics menu in the Web GUI. Click the Download configuration button under the Backup Configuration heading and save your config file to your local system.
  2. Bring up a new instance of the Netgate pfSense Certified Router/Firewall/VPN running the latest version.
    • When creating the instance, make sure the interfaces match the interfaces on the existing instance. Make sure that the new instance is in the same VPC as the existing instance and that it has the same number of interfaces attached and that the interfaces are connected to the same Subnets.
    • Make sure any interfaces on the new instance that will communicate with private Subnets have the Source/Destination check disabled.
    • Allocate a new Elastic IP and associate it to the WAN interface of the new instance to allow yourself management access.
  3. Restore the backed up configuration file to the new instance. Navigate to Backup/Restore under the Diagnostics menu in the Web GUI. Under the Restore Configuration heading, click the Choose File button and browse for the configuration file you backed up from the existing instance earlier. Once you have selected that file, click the Restore configuration button. The configuration file will be uploaded and the instance will reboot automatically.
  4. If you had packages installed on the old instance, navigate to Packages under the System in the pfSense web GUI and install the same packages.
  5. If there was any external dependency on the public IP address of the existing instance, you can remove the Elastic IP Address from the upgraded instance and move the Elastic IP Address from the existing instance to the upgraded instance. External dependencies that might cause you to want to do this include things like VPN's configured to external devices that rely on the existing instance's Elastic IP address, or access lists on external devices that allow access to traffic from the existing instance's IP address. There may be other reasons why you would wish to keep the existing address as well (to preserve existing bookmarks to the Web GUI, reduce the need for updates to existing internal documentation, etc). The process for moving the old Elastic IP address to the new instance is as follows.
    • Disassociate the Elastic IP address from the new instance. In the EC2 Management Console, click on Elastic IPs under the Network & Security heading. Check the box next to the Elastic IP address assigned to the new instance and click on the Disassociate Address button.
    • Disassociate the Elastic IP address from the old instance. The procedure is the same as in the previous step, just repeated for the Eastic IP address of the old instance this time.
    • Associate the Elastic IP address that was previously associated to the old instance to public interface of the new instance. In the EC2 Management Console, click on Elastic IPs. Check the box next to the Elastic IP address you are moving and click the Associate Address button. Fill in the correct value for the Instance or Network Interface and select the Private IP Address of the public interface on the new instance. Click the Associate button. The management interface of the new instance should now be accessible.
  6. Move any default routes that pointed to an interface on the old instance to point to the equivalent interface on the new instance.
    • In the VPC Management Console, click on Route Tables under the Virtual Private Cloud heading. Check the box next to a Route Table associated with the VPC that the instances is located in.
    • In the detail pane that appears at the bottom of the screen, click on the Routes tab.
    • If a route exists for 0.0.0.0/0 with a Target that is an interface ID of an interface on the old instnace, click the Edit button above the table displaying the routes.
    • Click the red X next to the row for 0.0.0.0/0 to remove the existing route.
    • There should be a blank row with empty fields for a new route. Enter 0.0.0.0/0 in the Destination field and the Network Interface ID of the interface on the new instance in the Target field. Click on the Save button.
    • If there were multiple private subnets in the VPC which were pointed to interfaces on the pfSense instance, repeat this process for the other Route Tables associated with the VPC.

The new instance should now be functioning as the old one did.