Advanced Usage

Protecting a private network in VPC

An instance of the Netgate® pfSense® Plus appliance can be used as a firewall for a VPC subnet. This will generally require more manual configuration than using an instance to host a remote access VPN does. See the VPC User Guide for a more detailed explanation of how to configure your VPC and your Netgate pfSense® Plus appliance instance to support this.

Connecting a local Netgate device running pfSense Plus software

In addition to connecting remote devices as clients, a device running pfSense® Plus software as a firewall/router can be connected as a peer to a Netgate® appliance.

See also

Read Configuring a Site-to-Site Static Key OpenVPN Instance in the pfSense documentation to see the process of configuring this setup.

When implementing the configuration changes detailed in the document, you should use the Netgate appliance instance on AWS as the “server” end of the connection and your local Netgate device as the client “end”. You will also need to make sure that you are using a unique port. The default remote access OpenVPN server is configured to use UDP port 1194. It is suggested that if you are adding a site-to-site tunnel, you should use a port between 1195 and 2000. Whichever port you decide to use, you will need to make sure that the port is open both in the firewall rules on the Netgate appliance instance and in the Security Group in the EC2 Management Console.

If you wish to route all traffic from your home/office network through the OpenVPN tunnel to your Netgate appliance instance, you will need to add this statement to the advanced options for the OpenVPN Client on the home/office Netgate device:

redirect-gateway def1;

This will cause a default route to be set that sends all locally originated traffic on your home/office network over the OpenVPN tunnel when it is established. If you use this configuration to send all traffic from your local network through the OpenVPN tunnel, you will also need to establish a NAT on the Netgate appliance instance on AWS for traffic from the home/office network to the internet. This can be accomplished by adding the CIDR block for your home/office network to the preconfigured Alias called Networks_to_NAT. This is done by navigating to Aliases under the Firewall heading on the webGUI, then clicking on the edit icon to the right of Networks_to_NAT. Add the new network address and mask to the list of Networks and click the Save button. Then click the Apply Changes button. You will also need to add the network used for the tunnel endpoints (IPv4 Tunnel Network) to the Networks_to_NAT alias as well using the same procedure that was used to add the home/office network.

Connecting multiple pfSense Plus gateways to a Netgate appliance

Multiple home/office networks can be connected to a single Netgate appliance instance. This could be used to allow clients at different office locations to communicate without requiring tunnels between each individual location. It could also be used as a way to apply policies on traffic to/from the internet in one place and have them take effect across multiple locations.

Each site would need to have the instructions above for connecting an individual device repeated to add an OpenVPN server on the Netgate appliance instance and an OpenVPN client on the local Netgate device. Each OpenVPN Server that is configured must use a unique port and a unique network for IPv4 Tunnel Network. It is recommended to use a name that uniquely identifies each location connected in this manner in the Description field when adding an OpenVPN Server for a site in the Netgate appliance.

Detect and Recover EC2 Instance Failure

You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying issue.

For more information about instance recovery, see Recover Your Instance.