Forwarding traffic from VPC subnets through the instance

Some additional configuration is required within the Netgate appliance instance pfSense® web GUI before you are able to manage traffic from the private subnet.

  1. Log into the Web GUI.

  2. Click on the Interfaces heading on the left and then click the Assign link

  3. Click on the + icon to add a new Interface under the Interface assignments tab. A LAN interface should automatically be added with the next available network interface (xn1)

  4. Click on the Interfaces heading on the left again and then click on LAN. Click the checkbox to enable the LAN interface. Set the IPv4 Configuration Type to Static IPv4 and enter the IP address you assigned to the 2nd interface during the provisioning phase. Click the Save button.

Now, you can create instances attached to your private subnet and protect them with the firewall on your pfSense Certified appliance instance. Here are some common ways that you might wish to manage these hosts:

  • If you wish for your private hosts to be able to connect to the Internet, you can allow any traffic from the LAN in your firewall rules. There should be a rule like this in place by default. You will need to set up NAT rules to cause addresses in the private subnet to be NATed to the IP address of the WAN interface. Under the Firewall heading on the left, click on the NAT link. On the Outbound tab click the radio button for Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) and click on the Save button. There is an existing NAT rule configured by default that uses the alias Networks_to_NAT. Click on the Aliases link under the Firewall heading on the left. Add your private subnet to the Networks_to_NAT alias.

  • If your hosts should only contact each other and a private network segment elsewhere, you can configure an IPsec or OpenVPN tunnel from your remote networks to the Netgate appliance instance and set up the appropriate firewall rules, routes, and security policies to allow access to your private subnet through a VPN tunnel.

  • If you wish to enable direct inbound access from the internet to hosts on the private subnet, you can set up port forwarding on the WAN interface to direct traffic to particular hosts in the private subnet.