Forwarding traffic from VPC subnets through the instance

Some additional configuration is required within the VPC instance pfSense® Plus GUI before the instance can manage traffic from the private subnet.

  1. Log into the pfSense® Plus GUI for the instance.

  2. Click on the Interfaces heading on the left and then click the Assign link

  3. Click on the + icon to add a new Interface under the Interface assignments tab. A LAN interface should automatically be added with the next available network interface (xn1)

  4. Click on the Interfaces heading on the left again and then click on LAN. Click the checkbox to enable the LAN interface. Set the IPv4 Configuration Type to Static IPv4 and enter the IP address assigned to the second interface during the provisioning phase. Click the Save button.

Now is it possible to create instances attached to the private subnet and protect them with the firewall on the pfSense® Plus instance.

Common ways to manage private hosts

Allowing private hosts to connect to the Internet

To allow private hosts to be able to connect to the Internet, one method is to allow any traffic from the LAN in the firewall rules. There should be a rule like this in place by default.

Next, set up NAT rules so the firewall will apply NAT to addresses in the private subnet using the IP address of the WAN interface:

  1. Navigate to Firewall > NAT, Outbound tab

  2. Select the radio button for Hybrid Outbound NAT

  3. Click the Save button

  4. Navigate to Firewall > Aliases

  5. Add the private subnet to the Networks_to_NAT alias.


    There is an existing NAT rule configured by default that uses the alias Networks_to_NAT.

Allow private hosts to connect to each other

If hosts should only contact each other and a private network segment elsewhere, configure an IPsec or OpenVPN tunnel from the remote networks to the Netgate® pfSense® Plus appliance instance and set up the appropriate firewall rules, routes, and security policies to allow access to the private subnet through a VPN tunnel.

Allow direct inbound access from the internet to hosts

To enable direct inbound access from the internet to hosts on the private subnet, set up port forwarding on the WAN interface to direct traffic to particular hosts in the private subnet.