Launching an Instance in a VPC

In the Amazon EC2 Management Console, launch a new instance of the Netgate® pfSense® Plus software firewall and VPN appliance. This process is the same as the one for launching an EC2 (non-VPC) instance, up until step 11, which details the values to enter for the Configure Instance Details screen in order to specify the instance should be created in the VPC.

  1. Select the region to run the instance in using the tab at the upper right corner of the page.

  2. Launch a new instance by clicking on the Launch Instance button under the Create Instance section of the EC2 dashboard.

  3. Select AWS Marketplace on the Create a New Instance menu. Type Netgate pfSense Plus Firewall/VPN/Router in the search box and press Enter (or click on the Search button next to the text box).

  4. Click on the link for the Netgate pfSense Plus Firewall/VPN/Router appliance in the search results.

  5. Click on the Continue button on the info page for the Netgate pfSense® Plus Firewall/VPN/Router.

  6. Click on the Launch with EC2 Console tab

  7. If the license terms haven’t been accepted, click on the Accept Terms button.

  8. A message should be displayed indicating that the subscription is being processed.

  9. Select the version of the image to run under the popup menu labeled Select a Version. Generally the most recently issued version should be selected. Identify which region to launch the instances in and click on the Launch in EC2 Console button to the right of that region.

  10. Choose the instance type to run on. Click Next: Configure Instance Details.

  11. On the Configure Instance Details page, under the Network field, select the VPC that was created. For the Subnet field that appears right below the Network field, select the public subnet that was created earlier. In this example, it is

  12. Scroll down to the Network Interfaces heading. A single interface named eth0 should be displayed by default. Click on the Add Device button underneath eth0. Select the private subnet that was created ( in this example). Pick an IP address within the range of the private subnet and enter it in the Private IP field. Keep in mind that the first 3 or 4 IP addresses are reserved. For this example, use


    Optionally, expand the Advanced Details section and set parameters as text in the User Data field. The available options are:


    Setting a value via a directive like password=abcdefg will set the password for the administrative account to the specified value – abcdefg in this example. If no value is set here, a random password will be assigned in order to keep administrative access from being exposed to the internet with a default password.


    Setting a value via a directive like mgmtnet= will restrict management access (http, https, ssh) to the specified network – in this example. This will cause the firewall rule on the instance (not on Amazons access lists, but on the Netgate appliance’s own firewall) to restrict management traffic for the instance to the specified source network. The default behavior is to allow management from any host.

    These directives can be set by placing them on a single line in the User Data field and separating them with colons. Specify both parameters, by typing a statement similar to:


    Click Next: Add Storage after optionally setting these parameters.


    If setting a password using the password parameter listed above, the password is retrieved by the instance via an unencrypted HTTP request when the system is configured the first time it boots. The request is made to an Amazon Web Services-operated server on the local LAN that stores metadata about each instance running. The data for an instance is only made available to that instance, but is available to be queried from the instance without providing any authentication credentials.

    It is advised to change the admin password via the pfSense® Plus GUI after the instance comes up, or choose not to set the password at all and let a random password be set.

  13. Click Next: Tag Instance to accept the Storage Device Configuration.

  14. Optionally, a tag can be set on the instance to differentiate this instance from other VMs that were started by entering a value for the Name tag. Click Next: Configure Security Group after setting any desired tags.

  15. Select a security group to launch the instance with. The recommended settings for a security group should allow at least the following traffic:

    • TCP port 443 from

      HTTPS - This is the port that the management GUI listens on.

    • TCP port 22 from

      SSH - This port can be used to connect to a command prompt with an ssh client.

    • UDP port 1194 from

      OpenVPN - The OpenVPN server that is configured by default is bound to this port.

    • UDP port 500 from

      IKE for IPsec VPN.

    • UDP port 4500 from

      IPsec/NAT-T for IPsec VPN.


    If there is an existing security group which includes this access, select Select an existing security group, then select the group(s) to use and click Continue. Otherwise, select Create a new security group, and add rules for this access by filling in the form for each rule and clicking the Add Rule button. When all of the rules have been added, click Review and Launch.

  16. Verify the details for the instance and click Launch.

  17. Select an existing key pair or create a new key pair to connect to the instance with. Do not select Proceed Without a Key Pair. Click the checkbox that indicates acknowledgement of having access to the selected private key file and then click Launch Instance.

  18. In order to reach the instance from the Internet, associate an Elastic IP with the WAN interface of the instance. In the VPC Management Console, go to the Elastic IPs view by clicking on Elastic IPs on the left side of the page. Click on the Allocate New Address button. Select the option to use the EIP in VPC and click on the Yes, Allocate button in the box that pops up. After the Elastic IP address is allocated, associate the address with the WAN interface of the Netgate appliance by clicking on the Associate Address button.

    A box will pop up that to either specify the instance and Private IP address of the interface or the Network Interface and the Private IP Address of the interface. Use one of these methods to select the correct interface and click on the Yes, Associate button. The instance should now be reachable via SSH or HTTPS.

  19. In order for traffic to be allowed to be routed from the private subnet through the public interface of the instance, the Source/Dest AddressCheck on the private interfaces needs to be disabled:

    • In the EC2 Management Console, go to the “Network Interfaces” view by clicking on Network Interfaces in the menu on the lefthand side of the page.

    • Click the checkbox to the left of the private/LAN interface on the Netgate appliance instance.

    • Click on the Actions button at the top of the page and select Change Source/Desk Check on the popup menu.

    • Select the radio button labeled Disabled on the box that pops up and click on the Save button.


    Non-local traffic from the private subnet should now be sent through the private/LAN interface on the Netgate appliance instance.