PFSENSE as a router on AWS



  • Hi guys,
    I am trying to configure PFSENSE on AWS, my current setup is:
    1 VPC 192.168.0.0/16
    6 Private subnet
    1 Public subnet 192.168.39.0/24
    Internet Gateway

    ok so the PFSENSE is up with 2 NIC's, 1 attached to the public subnet and the other one to one of the private subnets (192.168.38.0/24)

    I have no problem accessing the pfsense from one of the private subnets to the NIC's on the private subnet but can't access to the NIC on the public subnet.

    My end goal here is that all the traffic from the private subnets will route through the PFSENSE like normal router.
    What am I missing here?


  • Netgate Administrator

    Where are you testing from? Another instance in the public subnet? Externally using a public IP mapped to the pfSense IP in 39.0/24 in AWS?

    I have seen that sort of setup many times in AWS, it should be relatively each to accomplish.

    You need to be aware that everything in AWS is DHCP assigned so pfSense will think it's 'LAN' and a WAN and NAT out od it which which probably don't want so you will need to disable that.

    You will need to disable the source/destination check on the pfSense instance and it's internal interface at least as it's routing traffic.

    Steve



  • @stephenw10 I've tried from several instances on different subnets, the WAN and LAN interfaces are set on DHCP and I can see from the AWS console what IP has been assigned to each interface and made sure that the interface that has access to the internet gateway is set to be the WAN interface on the PFSENSE, Also disabled the source/dest checks for all instances including the PFSENSE so basically it's as follows:

    LAN Interface 192.168.38.236
    WAN Interface 192.168.39.86 with Elastic IP attached to it
    Routing table for the private subnets are set as follows:
    192.168.0.0/16 > local
    0.0.0.0/0 > 192.168.38.236 interface (the PFSENSE LAN interface)

    and the routing table for the public subnet is:
    192.168.0.0/16 > local
    0.0.0.0/0 > Internet Gateway


  • Netgate Administrator

    Both those subnets are inside the /16 so I could imagine traffic from one to the other might not routed through pfSense at all. But traffic to/from external sites should.

    Can you connect to the pfSense gui on the Elastic IP? Assuming you have rules to allow that in AWS and pfSense.

    Can pfSense connect out? See available updates etc?

    Steve



  • Yea it looks like the PFSENSE itself doesn't have any access to the internet, I've tried to ping various IP's like 8.8.8.8 and domain names after I login to the PFSENSE using SSH, I've also checked and tried some changes on the WAN interface but still couldn't make it work.
    How the WAN interface is supposed to be configured on the AWS? or is something else required?

    as I mentioned the routing table associated with the 192.168.39.0/24 subnet (the WAN interface subnet) is set like this:
    192.168.0.0/16 > local
    0.0.0.0/0 > IGW

    So if I'm not wrong technically it's supposed to work?


  • Netgate Administrator

    Well it obviously won't work if pfSense can't get out itself.

    Is the WAN side gateway set as default in System > Routing?

    Steve



  • Yea it was but I figured what went wrong, I didn't have NAT GW on the AWS I thought that the AWS internet gateway was sufficient.
    Anyway Thanks couldn't figure it without your help :)


Log in to reply