Netgate pfSense certified firewall and VPN Appliance - VPC User Guide

The Netgate pfSense Certified firewall and VPN appliance for Amazon EC2 is a stateful firewall and VPN appliance. In addition to it's capabilities as a VPN gateway and firewall for users and offices, it is capable of acting as a firewall to protect instances providing services in Amazon's Virtual Private Cloud or VPC service. This service differs from the classic EC2 service in that it allows for management of instances on private subnets.

This guide will explain how to launch, manage, and use an instance of the appliance to act as a gateway for other instances in a VPC subnet.

Preparing your VPC:

In order to use a Netgate appliance instance to protect your VPC subnets, you will need the following:

  • One internet-facing subnet, which the Netgate appliance instance will have it's primary/WAN interface connected to.
  • One or more private subnets, which the Netgate appliance instance will have it's secondary/LAN interface (and possibly additional optional interfaces) connected to.
  • Separate routing tables for the internet-facing subnet and the private subnet(s)
If you already have all of these in place with an existing VPC, feel free to skip ahead to Launching an Instance.

These instructions will demonstrate how to create a single private subnet and set it up behind an instance of the Netgate pfSense Certified firewall and VPN appliance. In the Amazon VPC Management Console, create a new VPC, subnets, and routing table(s).

  1. Go to the Your VPCs view in the menu on the left side of the VPC Management Console under the Virtual Private Clouds grouping. Click the Create VPC button.
  2. Create VPC
  3. Enter a CIDR block to use in the box that pops up. If you will connect to hosts in your VPC using a VPN from hosts at other sites in your infrastructure, be sure to select address space that does not conflict with the private address space used elsewhere by your organization. Make sure the block you choose is large enough to contain all subnets you may want to include within it. E.g. if you plan to use a /24 for your internet-facing subnet and a /24 for your private network, the CIDR block you select here will need to be at least a /23 to hold those 2 subnets. The maximum size block you can select is a /16. For the purposes of this example, we will use 10.2.0.0/16. Leave the value of Tenancy set to Default. Click on the Yes, Create button.
  4. VPC CIDR block
  5. To create the subnets required, go to the Subnets view in the menu on the left side of the VPC Management Console. Click the Create Subnet button. Select the VPC you just created and choose the availability zone you desire. Enter the subnet you wish to use for the internet-facing hosts in the CIDR Block field. This subnet will be the one that the WAN interface of the Netgate appliance instance is attached to and could include any other hosts or appliances that you wish to be available directly from the Internet and not protected behind the Netgate appliance. The subnet you select here must be a block that is within the address space you assigned to the VPC. For this example, we will use 10.2.0.0/24. Click on the Yes, Create button.
  6. Public Subnet
  7. Create the private subnet. Still in the Subnets view of the VPC Management Console, click the Create Subnet button. In the box that pops up, select the appropriate VPC and the same Availability Zone that you assigned to your public subnet. Enter the subnet you wish to use for your private network in the CIDR Block field. This network should be a subnet of the address space you assigned to the VPC and should be distinct from the subnet you assigned to the public subnet. For this example, we will use 10.2.1.0/24. Click on the Yes, Create button
  8. Private Subnet
  9. Both subnets that you created will have been created to use a default route table that was created for the VPC. The private subnet can continue to use that default table. A new route table will need to be created for the public subnet. Go to the Route Tables view in the menu on the left side of the VPC Management Console. The single existing route table should be displayed. Click on the Create Route Table button. Select the VPC and click on the Yes, Create button.
  10. Create Route Table
  11. Associate the public subnet (10.2.0.0/24 in our examples) with the routing table that was just created. Go to the Subnets view on the left hand side of the VPC Management Console. Check the checkbox next to the public subnet and scroll down to look at the Details tab for that subnet. At the top of the Details tab will be listed the CIDR block, VPC, and Availability Zone. Under those items, the Route Table will be listed and will have a link labeled replace next to it. Click on the link. Select the route table in the box that pops up and click on the Yes, Replace button.
  12. Replace Route Table
  13. In order to send traffic from the public subnet to the Internet, we will need to add a default route to an Internet Gateway. We must first create one. Go to the Internet Gateways view in the menu on the left hand side of the VPC Management Console. Click on the Create Internet Gateway button. Click the Yes, Create button on the box that pops up. Click the checkbox next to the new Internet Gateway and then click the Attach to VPC button. Select the VPC and click on the Yes, Attach button.
  14. Attach IG to VPC
  15. The route table for the public subnet will need to be updated so that it has a default route to the Internet Gateway. Go to the Route Tables view on the left hand side of the VPC Management Console. Check the checkbox next to the route table for the public subnet. Under the Routes tab for that route table, there should only be listed a single route for the CIDR block of the VPC (10.2.0.0/16 in our example) that has a target of local. There is a row underneath this route with a text box in the Destination field and a pop up menu for the Target field. Enter 0.0.0.0/0 for the Destination and select the Internet Gateway (should be formatted like igw-XXXXXXXX) for the target. Click on the Add button that appears at the right side of the row. Click the Yes, Add button on the box that pops up.
  16. Add Default Route
There are a few more VPC configuration changes that will be required later, but next you must launch a Netgate appliance instance.

Launching an Instance:

In the Amazon EC2 Management Console, launch a new instance of the Netgate pfSense certified firewall and VPN appliance. This process is the same as the one for launching an EC2 (non-VPC) instance until you reach step 11, which details values that you can enter for the Configure Instance Details screen to specify the instance should be created in your VPC.

  1. Select the region you wish your instance to run in using the tab at the upper right corner of the page.
  2. Region Selection

  3. Launch a new instance by clicking on the Launch Instance button under the Create Instance section of the EC2 dashboard.
  4. Launch Instance

  5. Select AWS Marketplace on the Create a New Instance menu. Type Netgate pfSense certified in the search box and press enter (or click on the Search button next to the text box).
  6. New Instance Wizard

  7. Click on the link for the Netgate pfSense certified firewall and VPN appliance in the search results.
  8. Search Results

  9. Click on the Continue button on the info page for the Netgate pfSense certified firewall and VPN appliance.
  10. Continue Instance Launch

  11. Click on the Launch with EC2 Console tab
  12. Launch with Console

  13. If you haven't previously accepted the license terms, click on the Accept Terms button.
  14. Accept Terms

  15. A message should be displayed indicating that your subscription is being processed.
  16. Subscription Processing

  17. Select the version of the image to run under the popup menu labeled Select a Version. Generally the most recently issued version should be selected. Identify which region you wish to launch the instances in and click on the Launch in EC2 Console button to the right of that region
  18. Select Version and Region

  19. Choose the instance type you wish to run on. Click Next: Configure Instance Details.
  20. Choose Instance Type

  21. On the Configure Instance Details page, under the Network field, select the VPC you created. For the Subnet field that appears right below the Network field, select the public subnet you created earlier. In our examples, this is 10.2.0.0/24.

    Configure Instance Details VPC

    Scroll down to the Network Interfaces heading. A single interface named eth0 should be displayed by default. Click on the Add Device button underneath eth0. Select the private subnet that was created (10.2.1.0/24 in our example). Pick an IP address within the range of the private subnet and enter it in the IP address field. Keep in mind that the first 3 or 4 IP addresses are reserved. For this example, we will use 10.2.1.5.

    Instance Details Network Interfaces

    You can optionally expand the Advanced Details section and set parameters as text in the User Data field. The available options are:

    password - setting a value via a directive like password=abcdefg will set the password for the administrative account to the value you specify - abcdefg in this example. If no value is set here, a random password will be assigned in order to keep administrative access from being exposed to the internet with a default password.

    mgmtnet - setting a value via a directive like mgmtnet=10.0.1.0/24 will restrict management access (http, https, ssh) to the network you specify - 10.0.1.0/24 in this example. This will cause the firewall rules on the instance (not on Amazons access lists, but on the Netgate appliance's own firewall) to restrict management traffic for the instance to the specified source network. The default behavior is to allow management from any host.

    These directives can be set by placing them on a single line in the User Data field and separating them with colons. If you wanted to specify both parameters, you could do this by typing a statement similar to this one:

    password=abcdefg:mgmtnet=10.0.1.0/24
    

    Click Next: Add Storage after optionally setting these parameters.

  22. Note: If you set a password using the password parameter listed above, the password is retrieved by the instance via an unencrypted HTTP request when the system is configured the first time it boots. The request is made to an Amazon Web Services-operated server on the local LAN that stores metadata about each instance running. The data for an instance is only made available to that instance, but is available to be queried from the instance without providing any authentication credentials. It is advised that you change the admin password via the pfSense web GUI after the instance comes up if you judge this to be an unacceptable security risk. Or you may choose not to set the password at all and let a random password be set.

    Instance Details

  23. Click Next: Tag Instance to accept the Storage Device Configuration.
  24. Storage Devices

  25. Optionally, a tag can be set on the instance to differentiate this instance from other VM's you have started by entering a value for the Name tag. Click Next: Configure Security Group after setting any desired tags.
  26. Instance Details Tags

  27. Select a security group to launch the instance with. The recommended settings for a security group should allow at least the following traffic:
    • TCP port 443 from 0.0.0.0/0 - HTTPS - This is the port that the management web GUI listens on.
    • TCP port 22 from 0.0.0.0/0 - SSH - This port can be used to connect to a command prompt with an ssh client.
    • UDP port 1194 from 0.0.0.0/0 - OpenVPN - The OpenVPN server that is configured by default is bound to this port.
    • UDP port 500 from 0.0.0.0/0 - IKE for IPsec VPN.
    • UDP port 4500 from 0.0.0.0/0 - IPsec/NAT-T for IPsec VPN.

    Security Group

    If you have an existing security group that includes this access, select Select an existing security group, then select the group(s) you want to use and click Continue. Otherwise, select Create a new security group, and add rules for this access by filling in the form for each rule and clicking the Add Rule button. When all of the rules have been added, click Review and Launch.

  28. Verify the details for the instance and click Launch.
  29. Launch Final

  30. Select an existing key pair or create a new key pair to connect to the instance with. Do not select Proceed Without a Key Pair. Click the checkbox that indicates that you acknowledge that you have access to the selected private key file and then click Launch Instance.
  31. SSH key pair

  32. In order to reach your instance from the Internet, you will need to associate an Elastic IP with the WAN interface of the instance. In the VPC Management Console, go to the Elastic IPs view by clicking on Elastic IPs on the left side of the page. Click on the Allocate New Address button. Select that you want the EIP used in VPC and click on the Yes, Allocate button in the box that pops up. After the Elastic IP address is allocated, associate the address with the WAN interface of the Netgate appliance by clicking on the Associate Address button. A box will pop up that will either let you specify the instance and Private IP address of the interface or the Network Interface and the Private IP Address of the interface. Use one of these methods to select the correct interface and click on the Yes, Associate button. You should now be able to reach the instance via ssh or https.
  33. Associate EIP

  34. In order for traffic to be allowed to be routed from the private subnet through the public interface of the instance, the Source/Dest Address Check on the private interfaces needs to be disabled. In the EC2 Management Console, go to the "Network Interfaces" view by clicking on Network Interfaces in the menu on the lefthand side of the page. Click the checkbox to the letft of the private/LAN interface on the Netgate appliance instance. Click on the Actions button at the top of the page and select "Change Source/Desk Check" on the popup menu. Select the radio button labeled "Disabled" on the box that pops up and click on the "Save" button. Non-local traffic from the private subnet should now be sent through the private/LAN interface on the Netgate appliance instance.
  35. Change Source/Dest Check

Managing the Configuration of the Instance:

Once the instance is launched, you can connect to it via the Elastic IP that was attached to the primary interface during the provisioning phase.

In order to manage the configuration of the instance, you can connect to it via https or ssh. To connect via ssh, you would use the key pair you chose while creating the instance to connect to the admin account. From the command line on a Unix/Linux host, you would use a command similar to ssh -i my_key_file admin@public_IP, where the appropriate private key file and public IP or hostname are substituted. In the example below, the key file my_ec2_key is used to connect to the IP address 23.20.204.54. Note that the first time you log into your instance, the ssh key of the instance will not be cached on your computer and you will need to type yes when asked whether you want continue connecting. This should not be necessary on subsequent sessions.

SSH session

A limited set of configurations is possible through the ssh interface. The preferred method for managing most of the configurations or viewing data on the status of the Netgate pfSense instance is through the https web GUI. To connect via https, you would enter an https:// URL containing the public IP address or hostname of your instance into a web browser. For example, https://23.20.204.54. It's very likely that you will receive a browser warning indicating that the security certificate of the site is not trusted. This is because the instance uses a self-signed certificate for https communication. You should click on the option to proceed to the site anyway. A login screen with the Netgate logo should appear.

Login screen

The username to log in with is admin. The password to use is either a value that you set in the User Data during the creation of the instance or a random password. If you did not set a specific password, you can find out that value that the random password was set to through one of 2 different means. The first is to log in over ssh with the key pair that you selected when the instance was created and examine the contents of the file located at /etc/motd. You would do this by selecting option 8 (Shell) from the console menu that is presented when you log in and executing cat /etc/motd from the shell. Alternatively, you can view the System Log for the instance in the EC2 Management Console. After the messages that are displayed that show the status of the boot process, a message should appear that indicates what the administrative password was changed to.

The message you should look for using either of the methods mentioned about will look like this:

***
***
*** Admin password changed to: abcdefg
***
***

In this example, the password was changed to abcdefg.

Be aware that the System Log output in the EC2 Management Console is not updated in real time and may take a few minutes to show up. It is preferable to explicitly set a password by passing a value in with the User Data field so the password will be known in advance. If you want to allow a random password to be set, you should be able to connect via ssh and find out what the password was changed to after the instance is up without any delay.

Once you've determined your password and entered it into the login form, the pfSense Web GUI should be available to you.

Forwarding traffic from VPC subnets through the instance:

Some additional configuration is required within the Netgate appliance instance pfSense web GUI before you are able to manage traffic from the private subnet.

  1. Log into the Web GUI.
  2. Click on the Interfaces heading on the left and then click the Assign link
  3. Click on the + icon to add a new Interface under the Interface assignments tab. A LAN interface should automatically be added with the next available network interface (xn1)
  4. Click on the Interfaces heading on the left again and then click on LAN. Click the checkbox to enable the LAN interface. Set the IPv4 Configuration Type to Static IPv4 and enter the IP address you assigned to the 2nd interface during the provisioning phase. Click the Save button.

Now, you can create instances attached to your private subnet and protect them with the firewall on your Netgate pfSense Certified appliance instance. Here are some common ways that you might wish to manage these hosts:

  • If you wish for your private hosts to be able to connect to the Internet, you can allow any traffic from the LAN in your firewall rules. There should be a rule like this in place by default. You will need to set up NAT rules to cause addresses in the private subnet to be NATed to the IP address of the WAN interface. Under the Firewall heading on the left, click on the NAT link. On the Outbound tab click the radio button for Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) and click on the Save button. There is an existing NAT rule configured by default that uses the alias Networks_to_NAT. Click on the Aliases link under the Firewall heading on the left. Add your private subnet to the Networks_to_NAT alias.
  • If your hosts should only contact each other and a private network segment elsewhere, you can configure an IPsec or OpenVPN tunnel from your remote networks to the Netgate appliance instance and set up the appropriate firewall rules, routes, and security policies to allow access to your private subnet through a VPN tunnel.
  • If you wish to enable direct inbound access from the internet to hosts on the private subnet, you can set up port forwarding on the WAN interface to direct traffic to particular hosts in the private subnet.