Forwarding traffic from VPC subnets through the instance

Some additional configuration is required within the VPC instance’s pfSense® webGUI before you are able to manage traffic from the private subnet.

  1. Log into the pfSense WebGUI for the instance.

  2. Click on the Interfaces heading on the left and then click the Assign link

  3. Click on the + icon to add a new Interface under the Interface assignments tab. A LAN interface should automatically be added with the next available network interface (xn1)

  4. Click on the Interfaces heading on the left again and then click on LAN. Click the checkbox to enable the LAN interface. Set the IPv4 Configuration Type to Static IPv4 and enter the IP address you assigned to the 2nd interface during the provisioning phase. Click the Save button.

Now, you can create other instances attached to your private subnet and protect them with the firewall on the pfSense instance.

Common ways to manage private hosts

Allowing private hosts to connect to the Internet

To allow private hosts to be able to connect to the Internet, you can allow any traffic from the LAN in your firewall rules, there should be a rule like this in place by default.

Next, set up NAT rules to cause addresses in the private subnet to be NATed to the IP address of the WAN interface:

  1. Under the Firewall heading on the left, click on the NAT link.

  2. On the Outbound tab click the radio button for Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)

  3. Click the Save button.

  4. Click on the Aliases link under the Firewall heading on the left.

  5. Add your private subnet to the Networks_to_NAT alias.

    Note

    There is an existing NAT rule configured by default that uses the alias Networks_to_NAT.

Allow private hosts to connect to each other

If your hosts should only contact each other and a private network segment elsewhere, you can configure an IPsec or OpenVPN tunnel from your remote networks to the Netgate appliance instance and set up the appropriate firewall rules, routes, and security policies to allow access to your private subnet through a VPN tunnel.

Allow direct inbound access from the internet to hosts

If you wish to enable direct inbound access from the internet to hosts on the private subnet, you can set up port forwarding on the WAN interface to direct traffic to particular hosts in the private subnet.