PfSense On Azure
-
Hello everyone,
First thing i'm new to the firewalls and NAT concepts in general :D
The ultimate goal is do setup DMZ and/or doing some port forwarding, etc as a POC (Sure not for any type of production)
I was able to configure pfSense machine running on Azure with two NIC with the following configurations :
- I have VNET with address range 172.16.0.0/12, with two subnets 172.16.0.0/24 & 172.16.2.0/24
- First NIC (LAN) is associated with first subnet with static IP 172.16.0.10 and with Public IP address provided by Azure.
- Second NIC (WAN) is associated with second subnet, DHCP enabled, dynamic IP address is 172.16.2.4.
My issue is, i'm not able access the HTTPS administration site or SSH using the public IP address which associated with the LAN NIC, But It's perfectly working if i'm trying accessing from another ms windows VM inside the same LAN subnet (172.16.0.0/24).
I already added the public ip address 51.136.54.*** as virtual IP (if this necessary)
and created LAN firewall rule to allow any kind of connection.Also i can see the traffic coming from my home machine public IP to the LAN IP through system logs, but no response is coming back (as attached), (even if i'm trying to access from the local machine in the same subnet using the public IP).
Appreciated your help and instructions, and i'm ready for any additional details either to my issue, or how i did these things …
Thanks
-
Hey there
Normally you would assign your WAN interface to the NIC that's connected to your public IP address and your LAN interface to the private subnet. I would not recommend to assign your LAN interface to a private subnet and to your public IP address simultaneously in any case whatsoever.
IMHO, the assignments should be like this:
WAN -> public IP address provided by Azure (only)
LAN -> private subnet (only)
I don't think it's necessary or that it makes sense to add some virtual IP in this case.I'm not familiar with Azure, but if you can add more virtual interfaces to your pfSense VM, go ahead and add one if you need another private subnet.
Now of course with this configuration you can not access the Web Configurator from the Internet. But I wouldn't recommend making it available to the Internet anyways. So if you can keep your Windows VM that's in the same private subnet, access the Web Configurator from there.
Of course there are other options to get to what you're trying to achieve, but I think just using another VM in the same private subnet is the easiest way.
Greetings, Philipp