Advanced Usage

Protecting a private network in VPC

An instance of the Netgate® pfSense® Plus appliance can be used as a firewall for a VPC subnet. This will generally require more manual configuration than using an instance to host a remote access VPN does. See the VPC User Guide for a more detailed explanation of how to configure a VPC and a Netgate pfSense® Plus appliance instance to support this.

Connecting a local Netgate device running pfSense® Plus software

In addition to connecting remote devices as clients, a device running pfSense® Plus software as a firewall/router can be connected as a peer to a Netgate® appliance.

See also

Read Configuring a Site-to-Site Static Key OpenVPN Instance in the pfSense software documentation to see the process of configuring this setup.

When implementing the configuration changes detailed in the document, the best practice is to use the Netgate appliance instance on AWS as the “server” end of the connection and the local Netgate device as the client “end”. Additionally, make sure that the server is using a unique port. The default remote access OpenVPN server is configured to use UDP port 1194. When adding a site-to-site tunnel, the best practice is to use a port between 1195 and 2000. Whichever port the site-to-site tunnel uses will need to be opened both in the firewall rules on the Netgate appliance instance and in the Security Group in the EC2 Management Console.

To route all traffic from a home/office network through the OpenVPN tunnel to the Netgate appliance instance, add this statement to the advanced options for the OpenVPN Client on the home/office Netgate device:

redirect-gateway def1;

This will cause a default route to be set that sends all locally originated traffic from the home/office network over the OpenVPN tunnel when it is established. When using this configuration to send all traffic from a local network through the OpenVPN tunnel, the outgoing traffic also needs NAT applied on the Netgate appliance instance on AWS for traffic from the home/office network to the internet. This can be accomplished by adding the CIDR block for the home/office network to the preconfigured Alias called Networks_to_NAT. This is done by navigating to Firewall > Aliases in the GUI, then clicking on the edit icon to the right of Networks_to_NAT. Add the new network address and mask to the list of Networks and click the Save button. Then click the Apply Changes button. Add the network used for the tunnel endpoints (IPv4 Tunnel Network) to the Networks_to_NAT alias as well using the same procedure that was used to add the home/office network.

Connecting multiple pfSense Plus gateways to a Netgate appliance

Multiple home/office networks can be connected to a single Netgate appliance instance. This could be used to allow clients at different office locations to communicate without requiring tunnels between each individual location. It could also be used as a way to apply policies on traffic to/from the internet in one place and have them take effect across multiple locations.

Each site would need to have the instructions above for connecting an individual device repeated to add an OpenVPN server on the Netgate appliance instance and an OpenVPN client on the local Netgate device. Each OpenVPN Server that is configured must use a unique port and a unique network for IPv4 Tunnel Network. It is recommended to use a name that uniquely identifies each location connected in this manner in the Description field when adding an OpenVPN Server for a site in the Netgate appliance.

Detect and Recover EC2 Instance Failure

It is also possible to create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying issue.

For more information about instance recovery, see Recover Your Instance.