Setup Pfsense Plus Firewall on Aws

by August 11, 2022 · Blog / PFSENSE

Pfsense plus is a cloud-based firewall solution that not only secures the VM network but also provides routing and VPN functionality, To setup Pfsense plus on AWS, here is the configuration summary:

  • Setup VPC For Pfsense.
  • Create Pfsense Plus VM Instance.
  • Lastly, Apply basic firewall rules.

Setup Aws VPC For Pfsense

A VPC (Virtual Private Cloud) is an Aws virtual network, it provides us with a separate network space to launch our Ec2 instances and other related Aws services. You may use your root user or an IAM user to set up VPC for Pfsense.

The following VPC components are to be configured before setting up Pfsense plus.

  • Subnets
  • Security Groups
  • Routing Table
  • Internet Gateway
Having Problems? Here is more for further assistance.

Subnets

Each customer in Aws is assigned a default VPC in each region, if you go to the web console and type VPC in the search bar and select VPC then you will see default VPC details and under IPV4 CIDR (Classless Inter-Domain Routing) you will see an address range 172.31.0.0/16, it is very important to understand the significance of this address range before creating a subnet.

This address space/range belongs to RFC 1918, It is strongly recommended by Aws to use it with your VPCs, RFC 1918 private address range (Non-Globally Routable IP Addresses) is as follows:

  • Class A CIDR Range: 10.0.0.0-10.255.255.255 (10.0.0.0/8)
  • Class B CIDR Range: 172.16.0.0-172.31.255.255 (172.16.0.0/12)
  • Class C CIDR Range: 192.168.0.0-192.168.255.255 (192.168.0.0/16)

Choosing the right CIDR range for our Subnets is of extreme importance because they should not match/overlap with our on-premise/local network space as this will create a conflict for services such as remote VPNs, RDP, etc, and one would not like to reconfigure local or Aws VPC after having it all setup, so if you are using Class C CIDR at the local office don’t use the same for Aws VPC.

Let us use the default address space (172.31.0.0/16) for our VPC and create two subnets, A private and a public subnet. The private subnet will allocate IP addresses to our critical VMs as we don’t want them to be exposed to the Internet/public, also the Pfsense LAN interface will have an IP address from the private subnet.

The public subnet will also allocate an IP address to the pfSense WAN interface, the WAN interface then deal with the Internet inbound and outbound traffic.

To create subnets, go to the VPC page, and from the left menu select Subnets then you will see 3 default subnets, 172.31.16.0/20,172.31.32.0/20 and172.31.0.0/20, let us delete these subnets and create newer ones as per our need, so select these subnets altogether and select Delete subnet.

aws, delete defult vpc subnets.

Note: In order to create the custom subnets, it is a must to delete the default subnets as they overlap with the custom public and private subnets.

On the Subnet page, from the right, select the Create Subnet button, then on the Create subnet page, under the VPC ID, select the default VPC 172.16.0.0/16 from the list, this will open the Subnet settings section, then under the Subnet name, type public, and then under Availability zone, choose a zone out of the three and remember to choose the same zone for both the subnets, under IPV4 CIDR block type 172.16.1.0/24 and then on the same section, select Add new subnet, now under the Subnet name, type private, then under the Availability zone, choose the same zone, and then under IPv4 CIDR block type 172.16.2.0/24, select Create subnet button, this will create two subnets:

  • public, with the subnet address 172.31.1.0/24
  • private, with the subnet address 172.31.2.0/24
aws new subnets created for the vpc

Security Groups

Security Groups are the firewall rules for our VM instances and are applied to incoming and outgoing traffic. We need to create two security groups one for the Lan side, and One for the Wan side of Pfsense.To do so, From EC2 Section–>Under Network & Security–> Security Groups–> From the right side section Select Create security group and add the details as follows:

  • LAN Side Security Group
  • Security group name: Type, VMs.
  • Description: Type, VMs.
  • VPC: Select Your VPC.
  • Inbound rules: Select Add rule–>Select All traffic from the menu–> then under Source, select Anywhere-IPV4, and then select 0.0.0.0/0 (This will allow all Incoming Traffic from Lan side of Pfsense to Our VMs and also allow Inter-VM traffic ).
  • Outbound rules: Leave it to default settings.

Next, Select Create security group, this will create Lan Side Security group.

WAN Side Security Group

From EC2 Section–>under Network & Security–> Security Groups–> from right side section Select Create security group and add the details as follows:

  • Security group name: Type, WAN.
  • Description: Type, WAN.
  • VPC: Select Your VPC.
  • Inbound rules: We need to add 3 rules:
  1. Select Add rule–>under Type, select HTTP from the menu–> under Source Select Anywhere-IPV4 then Select 0.0.0.0/0.
  2. Select Add rule–>under Type, select HTTPS from the menu–> under Source Select Anywhere-IPV4 then Select 0.0.0.0/0
  3. Select Add rule–>under Type, select SSH from the menu–> under Source Select Anywhere-IPV4 then Select 0.0.0.0/0

These rules allow SSH, WEB & Secure-WEB access to your Pfsense Plus Instance, 0.0.0.0/0 means from any subnet on the internet, you can restrict access using the ALIAS.

  • Outbound rules: Leave it to default settings.

Next, Select Create security group, this will create the WAN Side Security group.

The Routing Table

If you select Routing Tables from the left pane, then you will see the default routing table for VPC.

aws vpc default routing table

On the routing tables page, you will see the default VPC id and default Route table ID in the upper section, and in the lower section Routes and Subnet association, by selecting the Routes section you will see the default routing table which has 2 routes.

aws, see routes detail

The first route (Destination:172.31.0.0/16) is for inter-VPC traffic, the traffic can be between the VMS, or between the VMs and Firewall. The second route uses an internet gateway, which provides access to the Internet.

Pfsense plus will need two routing tables, a public, and a private routing table, the public routing table will provide (Public Access) internet access to Pfsense and the private routing table will be used to secure our Internal network (private access).

For the public routing table, we will use the default routing table and rename it as Public, for private access we will create a new routing table and name it as Private.

Let us rename the default routing to public and associate it with the public subnet.

rename the default aws routing table.

After renaming, scroll down and select the Subnet association section and then select Edit subnet associations, then select the public subnet and press the Save association button.

associate public subnet with aws public routing table.
aws, public routing table association.

After this, from the right pane select the Create route table button, this will open another window, type Private under the name field, then select the default VPC from the drop-down list and then press Create route table button.

Create new private aws routing table

After this, repeat the association procedure for the Private routing table by selecting Private from the Routing Table Section, scrolling down and selecting the Subnet association section, and then selecting Edit subnet associations, then selecting the private subnet and pressing the Save association button.

Internet Gateway

The internet gateway maps(1:1 NAT) a local Aws IP address (Pfsense Wan IP) to Aws’s assigned Public IP address. By default, an Internet Gateway is already attached to our VPC. You can select Internet Gateway from the left Pane in the VPC section.

Elastic IP Address

By default, when we create an Aws instance then a Public IP Address is associated with it, this IP address is used to access our VM Instance for remote access and management, This Public IP address is dynamic and changes on Instance reboot, To fix this we need to add an Elastic IP Address which remains fixed and does not change after reboot.

We need to create an Elastic IP and attached it to Our Instance, Select Elastic IPs from the left pane in the VPC section, and from the right pane select Allocate Elastic IP Address and then select Amazon’s pool of IPv4 addresses and then select Allocate, This creates a static Public IP Address which will appear in the right pane.

You can select this newly created IP Address and rename it to something related for e.g, Pfsene_IP or FW_IP, Later, This IP Address will be attached to our Pfsense Plus VM instance, also don’t forget to note the Elastic IP Address.

Having Problems? Here is more for further assistance.

Creating Pfsense Plus Instance

You may choose any instance type from nano to a large instance type, If there are just a few instances to secure then I will suggest a nano or a micro instance as it will suffice for basic to medium level of Pfsense security features and packages.

For this tutorial, I am going to choose an instance type Nano, it’s the smallest instance available for Pfsense, I am using it for OpenVPN Remote Access and S2S Gateway, and plus it will provide basic level security to my Work VMs.

In order to create a Pfsence Plus instance, select Launch instance from the EC2 Dashboard, then follow these instructions :

  • Name and tags: PFS01.
  • Application and OS Images (Amazon Machine Image): Search the Keyword Pfsense then you will be shown results for Marketplace AMIs and Community AMIs, You may choose Community AMIs (They sometimes need a little tweaking before usage), for this tutorial I will be using a market place AMI. Select Marketplace AMI and then select Netgate pfSense Plus Firewall/VPN/Router and then select Continue.
  • Instance type: Select the Instance type to be t2.nano.
  • Key pair (login): select create a new key pair, then for Key pair name: PFS01, Key pair type: RSA, Private key file format: pem or ppk (The key pair is used for remote ssh into your Pfsense Instance, it’s up to you which method you like to choose, for this tutorial I will choose pem, (you can also convert pem to ppk later), and lastly, select Create new key pair, this will then download key pair to your system( keep key pair secure as without it you won’t be able to ssh into your VM).
  • Network settings: Select Edit, Under Subnet–>Select Public subnet, for Auto-assign public IP–> Disable , for Firewall (security groups)–> Select existing security group–> Common security groups –> Choose WAN. After this Select Advanced network configuration–>Add network interface–>under Network interface 1–> Subnet–>Choose Private–> Security groups.
  • Configure storage: Leave as default, (you may choose as per need).
  • Advanced details: Move the User data Text field, and type password=1234(or type your desired one), this is going to be the default password for Pfsense and later can be and should be changed using the web console, here is a shared link to change the Pfsense password.

After this, from the Summary pane, select Launch instance. This will launch the Pfsense Instance, it will take a few minutes to change its state from Pending to Running.

Once the Instance is running, now is the time to create and associate the Elastic IP to our Instance. From EC2 Section under Network& Security Select Elastic IPs then from the right section, Select Allocate Elastic IP Address, leave all the settings to default then select Allocate.

Once the Elastic IP Address is allocated then from the top right corner Select Actions Menu and then select Associate Elastic IP Address, After this Select your Instance PFS01 from the Instance field and Select Associate.

Pfsense Plus Default Password

While creating our Pfsense Plus Instance, If we don’t add a password in the Advanced detail section then the default password will be a random text containing alphanumeric and some special characters. In order to see this password you will need to view the system logs.

To check system logs select EC2 Section–>select your Pfsense Plus instance–>select Actions–>select Monitor and troubleshoot –>Get system log. Once you find the default password then change this password to a desired one.

Adding A LAN Interface

Once the Pfsense plus instance is created then we need to create a Network Interface and name it as LAN and then associate it with our already created Private subnet. To do so, Under EC2 Section–>Under Network & Security select Network Interfaces –> from the right section Select Create network interface, and then add the details as follows:

Description – optional: Type, LAN.

Subnet: Choose Private Subnet.

Private IPv4 address: Choose, Custom.

IPv4 address: Add, 172.31.2.5, AWS VPC RESERVES IP ADDRESSES FROM 172.31.2.1 TO 172.31.2.4, SO ALLOCATE BEYOND THIS RANGE.

Security groups: Select Group Name, VMs.

After this, Select Create network interface which creates LAN Interface, now select the Interface and name it LAN by editing the Name field and do repeat it for the WAN interface accordingly.

Configuring LAN & WAN Interface

To finalize the Network Interfaces configuration, we need to do two more steps:

  • Select the LAN interface and copy the Network interface ID and paste it into a Text Editor, save the ID and move to the Routing table section, now we add a new route to the Private routing table. Select Routes–>Edit routes–>Add route–> then for Destination, type 0.0.0.0/0, and for the Target, choose Network Interface, and then match the Network interface ID for the LAN Interface from the Text Editor, select it and then select Save changes.

    This will provide a default route to our internal network, thus internal VMs will use Pfsense LAN Interface to reach out to the internet and for any external destination.

  • Select LAN Interface, From the Actions Menu–> Change source/dest. check–> uncheck Enable—Select Save, after this, Select WAN Interface, From the Actions Menu–> Change source/dest. check–> uncheck Enable—Select Save. Disabling the Change source/dest. check allows NAT functionality at the Interface.

Basic Configuration for Pfsense Plus Using Web Console

By now, If everything has gone right then you should be able to access the Pfsense plus web interface using the Elastic IP Address, Just type in your Elastic IP Address on the browser window and hit enter, bypass the SSL certificate warning and proceed to Pfsense plus web interface, type in the username admin and for password use your previously configured password.

If you see the welcome screen then well done! you are almost done. If you want to change the previously configured password, then follow the welcome screen instructions, or else, skip the welcome screen by selecting from the top menu System–>General Setup–>under System for Hostname type PFS01 and for Domain type any domain name by following the instructions.

Scroll down to the Localization section, choose your related Timezone and scroll down to the bottom and hit the Save button.

Now, from the top menu select Interfaces–>Assigments–>Available network ports–>under Network port Select xn1–> Select the +Add button which will add the LAN interface to the Pfsense Plus web console.

Next, from the top menu, select Interfaces–>LAN–> check the Enable Interface Option–>For IPv4 Configuration Type choose Static IPv4–> Scroll down to Static IPv4 Configuration section–>for IPv4 Address type 172.31.2.5 and choose /24 for subnet mask–> scroll down and hit the Save button.

Let’s add a basic firewall rule to our newly assigned LAN interface for its proper functionality, Select Firewall–>Rules–>Select LAN–> Select Add–> under Edit Firewall Rule scroll down to Protocol choose any–> Move to Source section, For Source, Choose LAN net from the list–> Scroll down and hit the Save button–> then select Apply Changes.

Validate Pfsense Plus Configuration

Now, To validate our configuration, we need to check whether we can reach the internet from our Private Subnet (Aws Internal Network / VM Subnet), From the top menu select Diagnostics–>Ping–> For Hostname type 8.8.8.8–> for Source address–> Select LAN–> Hit the Ping button If we get a reply from 8.8.8.8 then our configuration is a success.

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.107/1.128/1.163/0.025 ms

!!!!! While Launching Any Instance behind the Pfsense plus firewall make sure the Private subnet is selected Under Network Settings and Security Group to be VMs !!!!!.

Having Problems? Here is more for further assistance.

When we create a VM in the private subnet then we do not allocate a public IP Address to it as this will defeat the whole purpose of firewall security, so how to access our VMs otherwise? There are three common methods to access a VM behind the Pfsense Plus firewall.

You may also like...

Author: Ali Rehan (nprog)

————-————-

For Post-related Questions, Help & Support, Project Discussion and for any other Query, Please join me at:

Upwork.com

WApp:+923227910074

Email:ali.rehan@tekgru.com