pfsense

Custom pfSense on Azure Rm | a complete guide

Custom pfSense on Azure Rm | a complete guide

A complete guide on how to create a pfSense VM on a local Hyper-V server, prepare it for Microsoft Azure, upload the disk to Azure and create a multi-NIC VM.

Download the latest image from https://www.pfsense.org/download/

pfsense

Open Hyper-V Manager create a Generation 1 VM. I added 4096 ram, 2 cores, use VHD, add an extra NIC (for second interface)  and select the downloaded ISO. (create a fixed VHD as Azure supports only fixed VHDs for custom VMs)

pfsense

Start the VM and at the first screen press enter.

pfsense

At all screens I accepted the default settings. Finally at the reboot prompt remove the installation ISO.

There is no need to setup VLANs, select the second interface for WAN and the first for LAN.

pfsense

pfsense

Once the pfSense is ready press 2 and change the LAN (hn0) interface IP to one at your network. Then select the option 14 to enable SSH.

pfsense

Now we can login with putty, with username admin password pfsense and press 8 for Shell access.

pfsense

The first thing is to update the packages running:

pkg upgrade

Python

Then install Python, as it is requirement for the Azure Linux Agent.

Search for Python packages running:

pkg search python

pfsense

Install the latest Python package, setup tools and bash:

pkg install -y python27-2.7.14
pkg search setuptools

pkg install py27-setuptools-36.2.2

ln -s /usr/local/bin/python /usr/local/bin/python2.7

pkg install -y bash

Azure Linux Agent

ref: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/classic/freebsd-create-upload-vhd

pkg install git

git clone https://github.com/Azure/WALinuxAgent.git

cd WALinuxAgent

git tag

git checkout WALinuxAgent-2.1.1

git checkout WALinuxAgent-2.0.16

python setup.py install

ln -sf /usr/local/sbin/waagent /usr/sbin/waagent

check the agent is running:

waagent -Version

pfsense

One final step before uploading the VHD to Azure is to set the LAN interface as dhcp.

This can be done by the web interface, go to https://lanaddress, login using admin / pfsense, and go to interfaces / LAN and select DHCPas ipv4 configuration.

pfsense

Now, shutdown the pfSense and upload it to Azure Storage.

I use the Storage Explorer, https://azure.microsoft.com/en-us/features/storage-explorer/ a free and powerful tool to manage Azure Storage. Login to your Azure Account and press Upload. Select as Blob type: “Page blob”

pfsense

After the upload is completed we can create a multiple NIC VM. This cannot be accomplished from GUI. We will create this using PowerShell.

$ResourceGroupName = "******"
$pfresourcegroup = "*******"
$StorageAccountName = "******"
$vnetname = "*****"
$location = "West Europe"
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$backendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name default -VirtualNetwork $vnet
$vmName="pfsense"
$vmSize="Standard_F1"
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$pubip = New-AzureRmPublicIpAddress -Name "PFPubIP" -ResourceGroupName $pfresourcegroup -Location $location -AllocationMethod Dynamic
$nic1 = New-AzureRmNetworkInterface -Name "EXPFN1NIC1" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pubip.Id
$nic2 = New-AzureRmNetworkInterface -Name "EXPFN1NIC2" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id
$VM = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
$VM | Set-AzureRmVMOSDisk `
            -VhdUri https://********.blob.core.windows.net/vhds/pfsensefix.vhd `
            -Name pfsenseos -CreateOption attach -Linux -Caching ReadWrite
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id
$vm.NetworkProfile.NetworkInterfaces.Item(0).Primary = $true
New-AzureRMVM -ResourceGroupName $pfresourcegroup -Location $locationName -VM $vm -Verbose

Once the VM is created, go to the VM’s blade and scroll down to “Boot diagnostics”. There you can see a screenshot of the VM’s monitor.

pfsense

Then go to the Networking section and SSH to the Public IP.

pfsense

and also we can login to the Web Interface of the pfSense

pfsense

pfsense

In my case I have added both NICs at the same Subnet, but at a production environment add the LAN interface to the backend subnet and the WAN interface to the DMZ (public) subnet.

Of course more NICs can be added to the VM, one for each Subnet at our environment.

Route external traffic through the pfSense

We cannot change the gateway at an Azure VM, but we can use routing tables to route the traffic through the pfSense.

From the Azure Portal, select New and search for Route table.

pfsense

We need to configure two things. One is to associate the Route table to a Subnet and the second is to create a Route.

pfsense

Open the “Route table” and click the “Routes”. Press “Add route” and in order to route all outbound traffic through the pfSense then add for Address prefix “0.0.0.0”, next hop type Virtual appliance” and Net hop address the ip address of the pfSense’s LAN interface IP.

pfsense

Then go to the “Subnets” and associate the required subnets.

pfsense

One final thing to do is to enable IP Forwarding at the LAN interface of the pfSense, in order to be able to receive and forward traffic not originated for it.

 

Share

9 comments

  1. Hey, Good tutorial. My image is uploading now and I hope to test later this evening.
    A few small things i noticed:

    in the Azure agent install you left off the last t (gi.. t) on this line:
    git clone https://github.com/Azure/WALinuxAgent.gi

    This line of the create VM script isn’t used anywhere either.
    $NSGname = “******”

    Otherwise great to get this all in one spot- thank you. I had to do quite a bit of searching last time I loaded an image to Azure and even now, Azure thinks the start up fails every time because the agent isn’t running correctly (it runs fine so I haven’t bothered to change it)

    1. This one is redundant too:
      $backendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name default -VirtualNetwork $vnet

  2. A thought on how to hide your VM behind the pfSense.

    The VM is at the subnet 10.1.2.0/24
    The pfSense LAN NIC at the subnet 10.1.0.0/24
    The pfSense WAN NIC at the subnet 10.1.3.0/24

    Configuration on pfSense:

    LAN interface
    static IP 10.1.0.5/24
    IPv4 Upstream gateway: None
    Azure NIC: Static IP 10.1.0.5 on subnet 10.1.0.0/24

    WAN interface
    static IP: 10.1.3.4/24
    IPv4 Upstream gateway: (new gateway with the first IP of the Azure subnet) 10.1.3.1
    Azure NIC: Static IP 10.1.3.4 on subnet 10.1.3.0/24

    Rules
    WAN: None
    Lan: Default

    System / Routing / Gateways
    new gateway: subnet LAN 10.1.0.1 10.1.0.1

    System / Routing / Static Routes
    new static route:
    10.1.2.0/24 subnet – 10.1.0.1 LAN

    VM on subnset 10.1.2.0/24
    At the pfSense I added a NAT rule port 38745 to 10.1.2.4 port 3389 for RDP to my VM

    At the Azure Portal, the custom Route 0.0.0.0/0 to 10.1.0.5, that is applied at the VM’s subnet 10.1.2.0/24, will forward all traffic of the VM to the pfSense

    So to access the VM i RDP to the public ip of pfSense @ port 38745

  3. Use Case of Production Scenario.
    Vnet – 10.20.0.0/16
    Wan – 10.20.131.0/24 —– Wan Interface – 10.20.131.4/32 Gtw —– 10.20.131.1
    Lan – 10.20.132.0/24 —– Lan Interface 10.20.132.4/32 Gtw —– 10.20.131.2
    VM’s in multiple subnets in vnet 10.20.0.0/16
    OpenVpn Setup for remote users to access VM’s of multiple subnet

    Please help on Lan to Wan routing on Pfsense and Azure portal both
    and Wan to Lan routing on Pfsense and azure portal both
    Is IP forwarding still required on Lan Ip configuration required to be done

    Your insights will be really helpful and i have a lab ready also if you want to work together on this scenario on Azure.
    Looking forward to hear from you.
    Regards,
    Jeegar

  4. How would it work in case of a IPsec tunnel..
    and vm is still in 10.1.2.0/24

    it would be kind of assymetric routing

  5. $VM | Set-AzureRmVMOSDisk `
    -VhdUri https://********.blob.core.windows.net/vhds/pfsensefix.vhd `
    -Name pfsenseos -CreateOption attach -Linux -Caching ReadWrite

    Is this script is correct. I am getting the below error

    Set-AzVMOSDisk: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided

    Can you help me out to fix this

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.