Launching an Instance in a VPC¶
In the Amazon EC2 Management Console, launch a new instance of the pfSense®
certified firewall and VPN appliance from Netgate. This process is the same as the
one for launching an EC2 (non-VPC) instance until you reach step 11, which
details values that you can enter for the
Configure Instance Details screen
to specify the instance should be created in your VPC.
Select the region you wish your instance to run in using the tab at the upper right corner of the page.
Launch a new instance by clicking on the
Launch Instancebutton under the
Create Instancesection of the EC2 dashboard.
AWS Marketplaceon the
Create a New Instancemenu. Type
Netgate pfSense certifiedin the search box and press enter (or click on the Search button next to the text box).
Click on the link for the Netgate pfSense certified firewall and VPN appliance in the search results.
Click on the
Continuebutton on the info page for the pfSense certified firewall and VPN appliance from Netgate.
Click on the
Launch with EC2 Consoletab
If you haven’t previously accepted the license terms, click on the
A message should be displayed indicating that your subscription is being processed.
Select the version of the image to run under the popup menu labeled
Select a Version. Generally the most recently issued version should be selected. Identify which region you wish to launch the instances in and click on the
Launch in EC2 Consolebutton to the right of that region
Choose the instance type you wish to run on. Click
Next: Configure Instance Details.
Configure Instance Detailspage, under the Network field, select the VPC you created. For the Subnet field that appears right below the Network field, select the public subnet you created earlier. In our examples, this is 10.2.0.0/24.
Scroll down to the
Network Interfacesheading. A single interface named eth0 should be displayed by default. Click on the
Add Devicebutton underneath eth0. Select the private subnet that was created (10.2.1.0/24 in our example). Pick an IP address within the range of the private subnet and enter it in the IP address field. Keep in mind that the first 3 or 4 IP addresses are reserved. For this example, we will use 10.2.1.5.
You can optionally expand the Advanced Details section and set parameters as text in the User Data field. The available options are:
password - setting a value via a directive like
password=abcdefgwill set the password for the administrative account to the value you specify - abcdefg in this example. If no value is set here, a random password will be assigned in order to keep administrative access from being exposed to the internet with a default password.
mgmtnet - setting a value via a directive like
mgmtnet=10.0.1.0/24will restrict management access (http, https, ssh) to the network you specify - 10.0.1.0/24 in this example. This will cause the firewall rule on the instance (not on Amazons access lists, but on the Netgate appliance’s own firewall) to restrict management traffic for the instance to the specified source network. The default behavior is to allow management from any host.
These directives can be set by placing them on a single line in the User Data field and separating them with colons. If you wanted to specify both parameters, you could do this by typing a statement similar to this one:
Next: Add Storageafter optionally setting these parameters.
..note:: If you set a password using the password parameter listed above, the password is retrieved by the instance via an unencrypted HTTP request when the system is configured the first time it boots. The request is made to an Amazon Web Services-operated server on the local LAN that stores metadata about each instance running. The data for an instance is only made available to that instance, but is available to be queried from the instance without providing any authentication credentials. It is advised that you change the admin password via the pfSense web GUI after the instance comes up if you judge this to be an unacceptable security risk. Or you may choose not to set the password at all and let a random password be set.
Next: Tag Instanceto accept the Storage Device Configuration.
Optionally, a tag can be set on the instance to differentiate this instance from other VM’s you have started by entering a value for the
Next: Configure Security Groupafter setting any desired tags.
Select a security group to launch the instance with. The recommended settings for a security group should allow at least the following traffic:
TCP port 443 from 0.0.0.0/0 - HTTPS - This is the port that the management web GUI listens on.
TCP port 22 from 0.0.0.0/0 - SSH - This port can be used to connect to a command prompt with an ssh client.
UDP port 1194 from 0.0.0.0/0 - OpenVPN - The OpenVPN server that is configured by default is bound to this port.
UDP port 500 from 0.0.0.0/0 - IKE for IPsec VPN.
UDP port 4500 from 0.0.0.0/0 - IPsec/NAT-T for IPsec VPN.
If you have an existing security group that includes this access, select
Select an existing security group, then select the group(s) you want to use and click Continue. Otherwise, select
Create a new security group, and add rules for this access by filling in the form for each rule and clicking the
Add Rulebutton. When all of the rules have been added, click
Review and Launch.
Verify the details for the instance and click
Select an existing key pair or create a new key pair to connect to the instance with. Do not select
Proceed Without a Key Pair. Click the checkbox that indicates that you acknowledge that you have access to the selected private key file and then click
In order to reach your instance from the Internet, you will need to associate an Elastic IP with the WAN interface of the instance. In the VPC Management Console, go to the Elastic IPs view by clicking on
Elastic IPson the left side of the page. Click on the
Allocate New Addressbutton. Select that you want the EIP used in VPC and click on the
Yes, Allocatebutton in the box that pops up. After the Elastic IP address is allocated, associate the address with the WAN interface of the Netgate appliance by clicking on the
Associate Addressbutton. A box will pop up that will either let you specify the instance and Private IP address of the interface or the Network Interface and the Private IP Address of the interface. Use one of these methods to select the correct interface and click on the
Yes, Associatebutton. You should now be able to reach the instance via ssh or https.
In order for traffic to be allowed to be routed from the private subnet through the public interface of the instance, the Source/Dest Address Check on the private interfaces needs to be disabled. In the EC2 Management Console, go to the “Network Interfaces” view by clicking on Network Interfaces in the menu on the lefthand side of the page. Click the checkbox to the letft of the private/LAN interface on the Netgate appliance instance. Click on the
Actionsbutton at the top of the page and select
Change Source/Desk Checkon the popup menu. Select the radio button labeled
Disabledon the box that pops up and click on the
Savebutton. Non-local traffic from the private subnet should now be sent through the private/LAN interface on the Netgate appliance instance.