Azure Firewall Setup
-
I don't think you can do that.
I would put one on the same subnet as the LAN interface and try changing the 0.0.0.0/0 route on that and see if you at least can get a normal, natted LAN connection going.
-
So attempt Lan and Wan on same subnet add the 0.0.0.0/0 and see if a NAT connection can be had. I'm no expert at networking could it be possible that 1:1 natting could be used to allow the use of the azure front facing public ips? How do we have two port 80's on one IP? We have a few front end applications we'd like to protect but they share several of the same ports currently we are doing this with NSG's.
-
That can be done if:
1. Azure will route public addresses to the public address of pfSense. In this case you might be able to just use the publics as they are.
2. Azure will allow multiple public addresses on the WAN interface.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-powershell
You might be able to get away with one outside address for multiple inside servers by using something like HAproxy to steer the traffic to the correct server based on requested hostname or SNI.
-
Any idea when I route 0.0.0.0/0 to the appliance i lose all communication to the vm's on the lan subnet?
-
Did you try it like I suggested with an interface on the LAN subnet + NAT instead of those publics?
Azure has zero way of knowing it needs to route those inside publics to the pfSense WAN. If it is going to be possible, that needs to happen.
-
I'm a little confused. Interface on the Lan subnet? what exactly would you like me to do with the interfaces and routes. Currently I have two interfaces in the system.
Wan = 10.0.3.5 and Lan 10.0.2.4In azure I have to virtual subnets 10.0.3.0/24 and 10.0.2.0/24
Nat set to manual
allow all on the lan and wan for testingbeen going at this 10/hrs a day since saturday I'll try anything at this point to get it working. Never was this hard to install pfsense locally :)
Help greatly appreciated
-
In azure I have to virtual subnets 10.0.3.0/24 and 10.0.2.0/24
Looks like that LAN interface is 10.0.2.4/32 to me.
-
updated the LAN interface to /24 and removed the old NAT entries this is what I have now not even seeing the attempts to connect on the firewall log.
-
Another interesting thing is I can ping from the LAN IP but never can I get connected to or ping the systems in the LAN subnet.
-
Was this ever worked? I am in a similar situation...
