The Netgate pfSense Certified firewall and VPN appliance for Amazon EC2 is a stateful firewall and VPN appliance. In addition to it's capabilities as a VPN gateway and firewall for users and offices, it is capable of acting as a firewall to protect instances providing services in Amazon's Virtual Private Cloud or VPC service. This service differs from the classic EC2 service in that it allows for management of instances on private subnets.
This guide will explain how to launch, manage, and use an instance of the appliance to act as a gateway for other instances in a VPC subnet.
In order to use a Netgate appliance instance to protect your VPC subnets, you will need the following:
If you already have all of these in place with an existing VPC, feel free to skip ahead to Launching an Instance.
These instructions will demonstrate how to create a single private subnet and set it up behind an instance of the Netgate pfSense Certified firewall and VPN appliance. In the Amazon VPC Management Console, create a new VPC, subnets, and routing table(s).
Your VPCsview in the menu on the left side of the VPC Management Console under the
Virtual Private Cloudsgrouping. Click the
Subnetsview in the menu on the left side of the VPC Management Console. Click the
Create Subnetbutton. Select the VPC you just created and choose the availability zone you desire. Enter the subnet you wish to use for the internet-facing hosts in the CIDR Block field. This subnet will be the one that the WAN interface of the Netgate appliance instance is attached to and could include any other hosts or appliances that you wish to be available directly from the Internet and not protected behind the Netgate appliance. The subnet you select here must be a block that is within the address space you assigned to the VPC. For this example, we will use 10.2.0.0/24. Click on the
Subnetsview of the VPC Management Console, click the
Create Subnetbutton. In the box that pops up, select the appropriate VPC and the same Availability Zone that you assigned to your public subnet. Enter the subnet you wish to use for your private network in the CIDR Block field. This network should be a subnet of the address space you assigned to the VPC and should be distinct from the subnet you assigned to the public subnet. For this example, we will use 10.2.1.0/24. Click on the
Route Tablesview in the menu on the left side of the VPC Management Console. The single existing route table should be displayed. Click on the
Create Route Tablebutton. Select the VPC and click on the
Subnetsview on the left hand side of the VPC Management Console. Check the checkbox next to the public subnet and scroll down to look at the Details tab for that subnet. At the top of the Details tab will be listed the CIDR block, VPC, and Availability Zone. Under those items, the Route Table will be listed and will have a link labeled
replacenext to it. Click on the link. Select the route table in the box that pops up and click on the
Internet Gatewaysview in the menu on the left hand side of the VPC Management Console. Click on the
Create Internet Gatewaybutton. Click the
Yes, Createbutton on the box that pops up. Click the checkbox next to the new Internet Gateway and then click the
Attach to VPCbutton. Select the VPC and click on the
Route Tablesview on the left hand side of the VPC Management Console. Check the checkbox next to the route table for the public subnet. Under the
Routestab for that route table, there should only be listed a single route for the CIDR block of the VPC (10.2.0.0/16 in our example) that has a target of
local. There is a row underneath this route with a text box in the Destination field and a pop up menu for the Target field. Enter
0.0.0.0/0for the Destination and select the Internet Gateway (should be formatted like igw-XXXXXXXX) for the target. Click on the
Addbutton that appears at the right side of the row. Click the
Yes, Addbutton on the box that pops up.
There are a few more VPC configuration changes that will be required later, but next you must launch a Netgate appliance instance.
In the Amazon EC2 Management Console, launch a new instance of the Netgate pfSense certified firewall and VPN appliance. This process is the same as the one for launching an EC2 (non-VPC) instance until you reach step 11, which details values that you can enter for the
Configure Instance Details screen to specify the instance should be created in your VPC.
Launch Instancebutton under the
Create Instancesection of the EC2 dashboard.
AWS Marketplaceon the
Create a New Instancemenu. Type
Netgate pfSense certifiedin the search box and press enter (or click on the
Searchbutton next to the text box).
Continuebutton on the info page for the Netgate pfSense certified firewall and VPN appliance.
Launch with EC2 Consoletab
Select a Version. Generally the most recently issued version should be selected. Identify which region you wish to launch the instances in and click on the
Launch in EC2 Consolebutton to the right of that region
Next: Configure Instance Details.
Configure Instance Detailspage, under the Network field, select the VPC you created. For the Subnet field that appears right below the Network field, select the public subnet you created earlier. In our examples, this is 10.2.0.0/24.
Network Interfacesheading. A single interface named eth0 should be displayed by default. Click on the
Add Devicebutton underneath eth0. Select the private subnet that was created (10.2.1.0/24 in our example). Pick an IP address within the range of the private subnet and enter it in the IP address field. Keep in mind that the first 3 or 4 IP addresses are reserved. For this example, we will use 10.2.1.5.
You can optionally expand the Advanced Details section and set parameters as text in the User Data field. The available options are:
password=abcdefgwill set the password for the administrative account to the value you specify - abcdefg in this example. If no value is set here, a random password will be assigned in order to keep administrative access from being exposed to the internet with a default password.
mgmtnet=10.0.1.0/24will restrict management access (http, https, ssh) to the network you specify - 10.0.1.0/24 in this example. This will cause the firewall rules on the instance (not on Amazons access lists, but on the Netgate appliance's own firewall) to restrict management traffic for the instance to the specified source network. The default behavior is to allow management from any host.
Next: Add Storage after optionally setting these parameters.
Note: If you set a password using the password parameter listed above, the password is retrieved by the instance via an unencrypted HTTP request when the system is configured the first time it boots. The request is made to an Amazon Web Services-operated server on the local LAN that stores metadata about each instance running. The data for an instance is only made available to that instance, but is available to be queried from the instance without providing any authentication credentials. It is advised that you change the admin password via the pfSense web GUI after the instance comes up if you judge this to be an unacceptable security risk. Or you may choose not to set the password at all and let a random password be set.
Next: Tag Instanceto accept the Storage Device Configuration.
Next: Configure Security Groupafter setting any desired tags.
If you have an existing security group that includes this access, select
Select an existing security group, then select the group(s) you want to use and click Continue. Otherwise, select
Create a new security group, and add rules for this access by filling in the form for each rule and clicking the
Add Rule button. When all of the rules have been added, click
Review and Launch.
Proceed Without a Key Pair. Click the checkbox that indicates that you acknowledge that you have access to the selected private key file and then click
Elastic IPson the left side of the page. Click on the
Allocate New Addressbutton. Select that you want the EIP used in VPC and click on the
Yes, Allocatebutton in the box that pops up. After the Elastic IP address is allocated, associate the address with the WAN interface of the Netgate appliance by clicking on the
Associate Addressbutton. A box will pop up that will either let you specify the instance and Private IP address of the interface or the Network Interface and the Private IP Address of the interface. Use one of these methods to select the correct interface and click on the
Yes, Associatebutton. You should now be able to reach the instance via ssh or https.
Actionsbutton at the top of the page and select "Change Source/Desk Check" on the popup menu. Select the radio button labeled "Disabled" on the box that pops up and click on the "Save" button. Non-local traffic from the private subnet should now be sent through the private/LAN interface on the Netgate appliance instance.
Once the instance is launched, you can connect to it via the Elastic IP that was attached to the primary interface during the provisioning phase.
In order to manage the configuration of the instance, you can connect to it via https or ssh. To connect via ssh, you would use the key pair you chose while creating the instance to connect to the admin account. From the command line on a Unix/Linux host, you would use a command similar to
ssh -i my_key_file admin@public_IP, where the appropriate private key file and public IP or hostname are substituted. In the example below, the key file my_ec2_key is used to connect to the IP address 126.96.36.199. Note that the first time you log into your instance, the ssh key of the instance will not be cached on your computer and you will need to type
yes when asked whether you want continue connecting. This should not be necessary on subsequent sessions.
A limited set of configurations is possible through the ssh interface. The preferred method for managing most of the configurations or viewing data on the status of the Netgate pfSense instance is through the https web GUI. To connect via https, you would enter an https:// URL containing the public IP address or hostname of your instance into a web browser. For example, https://188.8.131.52. It's very likely that you will receive a browser warning indicating that the security certificate of the site is not trusted. This is because the instance uses a self-signed certificate for https communication. You should click on the option to proceed to the site anyway. A login screen with the Netgate logo should appear.
The username to log in with is admin. The password to use is either a value that you set in the User Data during the creation of the instance or a random password. If you did not set a specific password, you can find out that value that the random password was set to through one of 2 different means. The first is to log in over ssh with the key pair that you selected when the instance was created and examine the contents of the file located at /etc/motd. You would do this by selecting option 8 (
Shell) from the console menu that is presented when you log in and executing
cat /etc/motd from the shell. Alternatively, you can view the System Log for the instance in the EC2 Management Console. After the messages that are displayed that show the status of the boot process, a message should appear that indicates what the administrative password was changed to.
The message you should look for using either of the methods mentioned about will look like this:
*** *** *** Admin password changed to: abcdefg *** ***
In this example, the password was changed to abcdefg.
Be aware that the System Log output in the EC2 Management Console is not updated in real time and may take a few minutes to show up. It is preferable to explicitly set a password by passing a value in with the User Data field so the password will be known in advance. If you want to allow a random password to be set, you should be able to connect via ssh and find out what the password was changed to after the instance is up without any delay.
Once you've determined your password and entered it into the login form, the pfSense Web GUI should be available to you.
Some additional configuration is required within the Netgate appliance instance pfSense web GUI before you are able to manage traffic from the private subnet.
Interfacesheading on the left and then click the
+icon to add a new Interface under the
Interface assignmentstab. A LAN interface should automatically be added with the next available network interface (xn1)
Interfacesheading on the left again and then click on
LAN. Click the checkbox to enable the LAN interface. Set the
IPv4 Configuration Typeto
Static IPv4and enter the IP address you assigned to the 2nd interface during the provisioning phase. Click the
Now, you can create instances attached to your private subnet and protect them with the firewall on your Netgate pfSense Certified appliance instance. Here are some common ways that you might wish to manage these hosts:
Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)and click on the
Savebutton. There is an existing NAT rule configured by default that uses the alias Networks_to_NAT. Click on the Aliases link under the Firewall heading on the left. Add your private subnet to the Networks_to_NAT alias.
If you wish to establish a VPN to allow instances on the VPC subnet(s) that sit behind your Netgate appliance to communicate with instances that reside in a VPC in another region, the Netgate appliance has a configuration wizard that will assist in accomplishing this by configuring both the Netgate appliance as well as the VPC configuration elements that would normally have to be set manually through the AWS Management Console. For detailed instructions, please see the AWS VPC Wizard user guide.
Periodically, new releases of the AMI are issued. This is usually to track new releases of pfSense that may provide new functionality, bug fixes, and security updates. There is not a "live update" procedure that can be applied to a running instance currently. This is because of the limited ability to rescue an AWS instance if errors or corruption occur during a live upgrade. Since there is no physical or out-of-band access available to an AWS instance, the lower risk approach of bringing up a new instance alongside the existing one and executing a cutover is the appropriate choice.
These instructions detail the procedure for moving your existing instance to an upgraded instance.
Diagnosticsmenu in the Web GUI. Click the
Download configurationbutton under the
Backup Configurationheading and save your config file to your local system.
Diagnosticsmenu in the Web GUI. Under the
Restore Configurationheading, click the
Choose Filebutton and browse for the configuration file you backed up from the existing instance earlier. Once you have selected that file, click the
Restore configurationbutton. The configuration file will be uploaded and the instance will reboot automatically.
Systemmenu in the pfSense web GUI and install the same packages.
Elastic IPsunder the
Network & Securityheading. Check the box next to the Elastic IP address assigned to the new instance and click on the
Elastic IPs. Check the box next to the Elastic IP address you are moving and click the
Associate Addressbutton. Fill in the correct value for the Instance or Network Interface and select the Private IP Address of the public interface on the new instance. Click the
Associatebutton. The management interface of the new instance should now be accessible.
Route Tablesunder the
Virtual Private Cloudheading. Check the box next to a Route Table associated with the VPC that the instances is located in.
Editbutton above the table displaying the routes.
Destinationfield and the Network Interface ID of the interface on the new instance in the
Targetfield. Click on the
The new instance should now be functioning as the old one did.