• I'm having a tough time getting a pfsense firewall configured correctly on AWS. I have a public subnet and private subnet configured on AWS and have attached the interfaces (eth0 & eth1 as outlined in https://www.netgate.com/docs/aws-vpn-appliance/vpc-guide.html. I then threw up a generic Windows server (ip address on the private subnet running IIS so that I could test basic connectivity out (ping and RDP) and in (HTTP).

    I can't figure out how to host a webserver out to the Internet in this situation. Do I allocate a new elastic IP? What do I associate it with? I haven't been able to find anyone who has done this that has documented it anywhere on the Internet. I'm pretty sure this is possible but for the life of me I can't figure out how to configure it.

  • Well I thought the answer would be to assign a secondary IP address ( to my eth0 interface in AWS and then associate an elastic IP to that secondary IP. I've created 1:1 NAT rules linking both the and my new elastic IP to the internal IP address of my host 17216.3.50. I've placed any any any rules in both WAN and LAN and still I'm not able to ping either out or into the host in question.
    Would love some assistance here. We are wanting to roll out these firewalls to our AWS public facing hosts but if I can't get this POC working I'm going to have to go back to square 1.

  • LAYER 8 Netgate

    Like I was saying before, the VPC does 1:1 NAT between the elastic address and the interface address. The instance never holds the elastic IP - the VPC igw does.

    You would need to:

    1:1 NAT (or port forward 80/443) between the secondary address and the real address of the server

    Make sure the inside subnet has a routing table matching traffic to any address forwarding it to the inside pfSense interface.

    source/dest check on the pfSense instance (or its interfaces) should be disabled.

  • @derelict appreciate the response. A second reading of your comment straightened me out. Your kind hand holding has earned netgate a customer!