Azure specific question Will pfsense process firewall rules if it only has 1 NIC



  • Background:

    In an Azure virtual network you can define multiple subnets within the address space you configure. The Azure fabric handles routing packets between subnets using what are called System Routes.

    You can bypass system routes using something called User-defined routes. This is useful for forcing traffic from various subnets to use an appliance (like a pfSence firewall) as the next hop. Note that the appliance must have IP Forwarding enabled so that it does not discard packets that were not addressed to it. (if interested, read more about this here: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-overview/)

    This functionality within an Azure virtual network makes it possible to configure some firewall solutions with a single interface. Basically, the appliance simply receives the packets not addressed to it (due to IP forwarding), it processes the traffic based on it's firewall rules, then if permitted, it sends the packets along using its default gateway (since it has no other interface).

    Sorry for the long-winded background, but now my question. Will pfSence process firewall rules on traffic it receives if it only has 1 interface, or will it discard the packets?

    Thanks in advance,
    Steve



  • Firewall rules are still processed with only a single interface, no differently than if you have multiple interfaces.



  • @cmb:

    Firewall rules are still processed with only a single interface, no differently than if you have multiple interfaces.

    Awesome, based on this, I should be able to set up a pfSense FW in Azure with a single interface and have it process the traffic I direct to it. Many thanks for the quick reply!

    Steve


Log in to reply