Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense on Azure controlling all traffic, problem with connection

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 1.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      alejjime
      last edited by alejjime

      Hello pfSense fans and experts.

      I have deployed a PfSense CE firewall on an Azure VM, with this topology:

      • One virtual network (vnet1), with three (3) subnets:
      • One subnet "wan", one subnet "lan" and a last subnet "apps".

      The pfSense VM have two (2) nics, one assigned to the vnet1/wan subnet and the other one assigned to the vnet1/lan subnet. The idea is that the wan subnet/nic have the public IP and the subnet/lan control de traffic to the apps VM. The apps VM have a nic assigned to the vnet1/apps.

      To avoid the Internet traffic to the vnet1/apps I have configured an Azure "Route table", to route the 0.0.0.0/0 to the vnet1/lan and it is assigned to the vnet1/apps. That's works fine.

      The problem is when I try to connect to the web server in the apps-VM, via http to the public-IP, it doesn't work, the pfSense receives the call but the apps-VM doesn't respond.

      In the pfSense, there is a firewall rule in the rules/lan section, permitting the connection between all the IP range of the vnet a its subnets.

      All the nics have azure network security groups (nsg) assigned, openning all the ports in all the protocols, because the idea is that the control occurs all in the pfSense.

      But the traffic to the web-app in the apps-VM is not happening. What do you think is missing here?

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You have 'IP forwarding' enabled for the pfSense VM and NICs?

        Steve

        A 1 Reply Last reply Reply Quote 1
        • A Offline
          alejjime @stephenw10
          last edited by

          @stephenw10 wow, that was precisely the missing setting, I had forgotten to check that parameter. thanks for the help!

          thank you very much again.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Ah, nice. Yeah that's easy to overlook, a common misconfiguration.

            The same applies to the source/destination check in AWS.

            Steve

            A 1 Reply Last reply Reply Quote 0
            • A Offline
              alejjime @stephenw10
              last edited by

              @stephenw10 Now I have a problem creating a OpenVPN to allow connections to this network. I think the fact that the wan nic have two (2) IP addresses, one public and one local, generates some kind of problem when the "Client export"options export the bundled configuration for the users.

              Do you know something about it? Maybe a new question topic here in the forum?

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by stephenw10

                The client export by default will use the WAN IP as the server IP in the conf file. But in Azure the WAN is a NAT'd private IP so clients will fail to connect. You need to set the Host Name Resolution field to other and enter the public IP there. Or use an FQDN is you have a public host name for that.

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.