AWS Q: How do I get EC2 machines in private VPC to use pfSense as gateway?

  • Ok here's the setup:
    I have a pfsense EC2 instance running with two NICs, one on a public subnet, and one on a private subnet.
    public subnet: public IP private IP
    private subnet: private IP

    I can access pfsense at and can see I have a LAN configured for

    I also have a server on the private LAN with IP

    Question: How can I configure the VPC so the server (.10) can have a default route of

    Without understanding this, I can't tell how the server (.10) will be NAT'd behind pfsense (

    Note: I tried to add a default route of to the private subnet in AWS VPC equal to the network adapter of but it wouldn't allow.

    I figure there are users here that have an AWS pfSense instance running that have already solved this.

  • LAYER 8 Netgate

    What do you mean "wouldn't allow?" Please expand. I have done just that many times.

  • The method by which I was attempting to configure this was to edit the Routing Table for the private subnet and trying to essentially enter destination= and target= (but instead of entering this, I was presented with the instance ID for the pfsense firewall, which I chose).

    I was presented with the error "There are multiple interfaces attached to instance 'i-xxxxxx'. Please specify an interface ID for the operation instead. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidInstanceID; Request ID: xxxxxxx)"

    Any idea?

    Essentially I'm trying to learn how to setup an isolated private network behind a pfsense EC2 instance. In a traditional network, your servers would be configured with pfSense as the default route, however in AWS, I can't figure out that part yet.

  • LAYER 8 Netgate

    Use the ID of the inside pfSense interface.

  • @Derelict:

    Use the ID of the inside pfSense interface.

    BINGO! That was it. I had to manually copy the Network Interface ID for the LAN adapter on the pfsense instance and paste it into the target for my new default route for the private subnet (writing it out for others to easily follow what I needed to do to solve this).


Log in to reply