Forwarding traffic from VPC subnets through the instance¶
Some additional configuration is required within the VPC instance pfSense® Plus GUI before the instance can manage traffic from the private subnet.
Log into the pfSense® Plus GUI for the instance.
Click on the Interfaces heading on the left and then click the Assign link
Click on the + icon to add a new Interface under the Interface assignments tab. A LAN interface should automatically be added with the next available network interface (
Click on the Interfaces heading on the left again and then click on LAN. Click the checkbox to enable the LAN interface. Set the IPv4 Configuration Type to Static IPv4 and enter the IP address assigned to the second interface during the provisioning phase. Click the Save button.
Now is it possible to create instances attached to the private subnet and protect them with the firewall on the pfSense® Plus instance.
Common ways to manage private hosts¶
Allowing private hosts to connect to the Internet¶
To allow private hosts to be able to connect to the Internet, one method is to allow any traffic from the LAN in the firewall rules. There should be a rule like this in place by default.
Next, set up NAT rules so the firewall will apply NAT to addresses in the private subnet using the IP address of the WAN interface:
Navigate to Firewall > NAT, Outbound tab
Select the radio button for Hybrid Outbound NAT
Click the Save button
Navigate to Firewall > Aliases
Add the private subnet to the
There is an existing NAT rule configured by default that uses the alias
Allow private hosts to connect to each other¶
If hosts should only contact each other and a private network segment elsewhere, configure an IPsec or OpenVPN tunnel from the remote networks to the Netgate® pfSense® Plus appliance instance and set up the appropriate firewall rules, routes, and security policies to allow access to the private subnet through a VPN tunnel.
Allow direct inbound access from the internet to hosts¶
To enable direct inbound access from the internet to hosts on the private subnet, set up port forwarding on the WAN interface to direct traffic to particular hosts in the private subnet.