pfSense in Azure



  • Wanted to show what a working setup looks like for the pfSense appliance in Azure. I just didn't find what I needed on here when my setup wasn't working; luckily, OrdinaryOrange over on ServerFault posted their config and it worked great for me. Here it is:

    Setup assumes that this is a brand new Resource Group with two subnets (pfsense & LAN) and that you've placed one or more VMs inside the LAN.

    • Spin up the pfSense appliance using the marketplace template and place it in the pfsense subnet
    • Edit the VM to add a second NIC and place it in your LAN subnet
    • Edit WAN NIC and ensure both public and private IP is set to Static
    • Edit LAN NIC and ensure private IP is set to Static
    • Go into both fw's NICs and enable IP forwarding (important!)
    • Connect to the public IP and run through the webconfig to setup the appliance
    • Run through any hardening you'd normally do at this point (change management port, allow access only from trusted IPs, etc)
    • Remove the NSG that was assigned to your WAN NIC, it's not needed anymore
    • Set Outbound NAT to Manual, delete all auto-generated rules, and create the following three:
      ** Source: WAN net (ex: 10.0.1.0 /24) ; NAT Address: WAN address ; leave the rest set to defaults
      ** Source LAN net (ex: 10.0.2.0 /24) ; NAT Address: WAN address ; leave the rest set to defaults
      ** Source localhost (ex: 127.0.0/8) ; NAT Address: WAN address ; leave the rest set to defaults
    • Setup any port forwarding rules you need to allow access / traffic to your VM(s) in the LAN
    • Open Azure's Route Tables and create one for the LAN subnet - set it to 0.0.0.0/0 and point it to the fw's LAN NIC
    • Create any needed WAN or LAN firewall rules
    • Test
    • You should be all set

    This works with a single NIC on the fw too, just set your 0.0.0.0/0 route to point to the local WAN IP instead



  • How about multiple public ips?


Log in to reply