Flexible Engine

pfSense open source virtual firewall

appliance deployment guide

Objectives

The document has for purpose to

- describe how to deploy and configure pfSense appliance on Flexible Engine
- explain how to access the web interface from Internet
- propose example network designs to use pfSense to filter traffic between WAN, FE DMZ VPC, FE
Private VPC and Internet

Orange Business Services | pfSense on FE deployment guide 1

Content
Objectives................................................................................................................................................................ 1
1. Introduction.................................................................................................................................................... 3
2. pfSense image deployment on Flexible Engine .............................................................................................. 3
2.1. Prerequisites .......................................................................................................................................... 3
2.2. pfSense ECS creation ............................................................................................................................. 4
2.3. pfSense initial configuration .................................................................................................................. 5
3. pfSense configuration to access web interface from internet ....................................................................... 7
4. VPC route table configuration to allow protected ECS to use pfSense as an Internet NAT gateway .......... 10
5. pfSense network design on Flexible Engine examples ................................................................................. 12
5.1. Single VPC ............................................................................................................................................ 12
5.2. Multiple VPC ........................................................................................................................................ 13
6. FAQ ............................................................................................................................................................... 14
How to associate several public IP addresses to pfSense WAN interface? .................................................. 14
Is it possible to use pfSense to filter traffic between subnets in a VPC? ..................................................... 14
Is it possible to set a pfSense High Availability cluster in Flexible Engine? .................................................. 14

Orange Business Services | pfSense on FE deployment guide 2

1. Introduction
pfSense software is an open-source firewall with over 1 million active installations in enterprise-level
organizations, higher education institutions, and government agencies worldwide.

pfSense software delivers advanced firewall, VPN, and routing functionality in your cloud-based infrastructure
with features including intrusion detection and prevention, load balancing, traffic shaping, GeoIP blocking,
dual-stack IPv4 and IPv6 support, DHCP and DNS server, Domain Name blacklisting, multiple VPN tunnels using
IPsec and OpenVPN, web content filtering, and more.

Please refer to the pfSense website for more information

2. pfSense image deployment on Flexible Engine

2.1.Prerequisites
Before deploying a pfSense appliance on Flexible you must define a network design corresponding to your
needs.
Here is a simple and minimal network design example on which this deployment guide is based on:

In this example we need 1 VPC with CIDR 172.16.0.0/24 with 2 subnets. A subnet “out” with CIDR
172.16.0.0/27 on which pfSense WAN network interface will be attached and a subnet “in” with CIDR
172.16.128.0/27 on which pfSense LAN network interface will be attached. An EIP will be attached on the WAN
network interface to give pfSense internet connectivity.
The objective here is for pfSense to protect internet access of ECS attached to the subnet “in”.

In order to create the pfSense ECS instance, you will need a SSH Key-Pair. The SSH Key Pair will only be used for
ECS creation; it can’t be used to SSH login on pfSense instances without further configuration.
https://docs.prod-cloud-ocb.orange-business.com/en-us/usermanual/ecs/en-us_topic_0014250631.html

In order to allow network flows, you will need to associate a Security Group to each network interface of your
pfSense instance. Since pfSense is a firewall, you can use a non-filtering Security Group:
https://docs.prod-cloud-ocb.orange-business.com/en-us/usermanual/ecs/en-us_topic_0140323151.html

Orange Business Services | pfSense on FE deployment guide 3

 2.2.pfSense ECS creation
Using Flexible Engine Console create an ECS with the following parameters:

Once the ECS is created go the “NICs” tab of the ECS details page:

Orange Business Services | pfSense on FE deployment guide 4

And disable the “Source/Destination” parameter on each NIC as pfSense ECS will serve as NAT gateway for the
protected ECS:

On the “Security Groups” tab, associate a security group to the network interfaces:

2.3.pfSense initial configuration

You can start configuring pfSense using “Remote Login” from the Flexible Engine console:

We don’t need to set up VLANs since they are not applicable in Flexible Engine network, so you can answer ‘n’
here.
We now define which network interface will be the WAN interface, so you can answer ‘vtnet0’ here since this
network interface is attached to subnet “out” and has an EIP bound:

Orange Business Services | pfSense on FE deployment guide 5

We now define which network interface will be the LAN interface, so you can answer ‘vtnet1’ since this
network interface is attached to subnet “in”:

After confirmation we can see the WAN interface has been configured with DHCP and the LAN interface with a
default static configuration. So we need to configure the LAN interface with menu 2:

LAN interface must be configured manually using the IP address and mask which would have been received by
DHCP.
In single VPC network configuration, upstream gateway should not be configured and DHCP server should
never be activated on LAN interface:

Orange Business Services | pfSense on FE deployment guide 6

If you don’t revert to HTTP as the webconfigurator protocol, it will be accessible in HTTPS though the LAN
interface private IP:

3. pfSense configuration to access web interface from internet

By default webconfigurator is only accessible from LAN interface. It can be configured to be accessible also on
WAN interface but for initial configuration we need a way to access it from LAN interface.
There a few options:
 Deploy a ECS on the LAN subnet and from a remote login open the webconfigurator webpage with
LAN interface private IP address
 Set up an IPsec tunnel between VPC and remote site using Flexible Engine VPNaaS feature
(https://docs.prod-cloud-ocb.orange-business.com/en-us/vpn/index.html) to remotely access
webconfigurator webpage with LAN interface private IP address
 Bound an EIP to LAN network interface

This is the last option which is described in this guide:

First you need to configure pfSense in order to disable “HTTP Referrer Check” using remote login.
You can do that by editing the “config.xml” file using “viconfig” command from the shell.

From the “Remote login” Flexible Engine console open a shell and run the “viconfig” command:

Orange Business Services | pfSense on FE deployment guide 7

Scroll down to “<webgui>” section and add a line with “<nohttpreferercheck></nohttpreferercheck>”:

Now you create EIP and bound it to LAN interface of pfSense ECS:

Then you can open the webconfigurator page from the browser of your workstation:

Orange Business Services | pfSense on FE deployment guide 8

At initial configuration, the webconfigurator SSL certificate is a default self-signed certificate so you need to tell
your browser to accept this untrusted certificate to display login page and authenticate with default credentials
(username=admin and password=pfsense):

After first login it’s strongly recommended to customize the admin password before doing anything else
especially when your webconfigurator is accessible by anyone on the internet through EIP address.
You can do this by running the “Setup Wizard” which will also allow you to start configuring your pfSense
instance for you own purpose.

For further configuration information you can use pfSense online documentation:
https://docs.netgate.com/

Orange Business Services | pfSense on FE deployment guide 9

4. VPC route table configuration to allow protected ECS to use pfSense
as an Internet NAT gateway
In order to use pfSense as an Internet NAT gateway for protected ECS deployed on subnet “in” of the VPC you
need to add a custom route in the VPC route table to send the internet traffic from the protected ECS attached
to subnet “in” to the LAN network interface of your pfSense ECS:

In pfSense webconfigurator verify that automatic outbound NAT rule generation is selected and that a rule with
subnet “in” exists on WAN interface:

Orange Business Services | pfSense on FE deployment guide 10

In pfSense webconfigurator verify that a firewall rule exists on LAN interface to allow traffic on LAN net:

Now you can deploy protected ECS on subnet “in” which will use pfSense instance as an Internet NAT gateway
and define some fine-tuned firewall rules to filter egress and ingress internet traffic for them.

Orange Business Services | pfSense on FE deployment guide 11

5. pfSense network design on Flexible Engine examples

5.1.Single VPC

In this example pfSense instance is used for several purposes:

 It allows ingress and egress internet traffic for the protected ECS in the VPC
 It allows ingress and egress internet traffic for WAN MPLS resources
 It allows interconnect between a Remote site and protected ECS in the VPC and WAN MPLS resources
though an IPsec tunnel
 It allows access to the protected ECS in the VPC, Remote site and WAN MPLS resources to nomad
users through a SSL tunnel
Please note that, in this configuration, traffic between protected ECS in the VPC and MPLS WAN resources is
not filtered by the pfSense instance.

Orange Business Services | pfSense on FE deployment guide 12

 5.2.Multiple VPC

In this advanced example pfSense instance is used to filter all the traffic between the all the VPCs, the MPLS
WAN and Internet.
For this, we introduce the “Subnet Level Based Routing” concept by creating a custom route table attached to
subnet “in” of the transit-fw VPC.
In the default route table of the transit-fw VPC, there is only a default route to send all the traffic entering the
VPC to the LAN interface of pfSense instance.
All the routes toward the other VPCs are set in the custom route so that the traffic going out from the VPC can
be routed only after being filtered.

Orange Business Services | pfSense on FE deployment guide 13

6. FAQ
How to associate several public IP addresses to pfSense WAN interface?
You can add extra WAN network interfaces with EIP bound to your pfSense instance:
https://docs.prod-cloud-ocb.orange-business.com/en-us/usermanual/ecs/en-us_topic_0092497777.html
https://docs.netgate.com/pfsense/en/latest/routing/multi-wan.html

You can also use virtual IPs with EIPs bound associated with one WAN network interface:
https://docs.prod-cloud-ocb.orange-business.com/usermanual/vpc/en-us_topic_0097594610.html
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html

Is it possible to use pfSense to filter traffic between subnets in a VPC?

No, it’s not possible. Only FE Network ACL feature allows inter-subnet filtering.

Is it possible to set a pfSense High Availability cluster in Flexible Engine?

No, it’s not possible. Flexible Engine SDN doesn’t support CARP protocol.

Orange Business Services | pfSense on FE deployment guide 14