Running pfSense as an Azure IaaS Virtual Machine

A client of mine has asked me if it would be possible to run pfSense as a Microsoft Azure IaaS Virtual Machine. pfSense® software is a free, open source customized distribution of FreeBSD, specifically tailored for use as a firewall and router that is entirely managed via web interface.

At that time, I had in mind that running FreeBSD 10 under Hyper-V and in Microsoft Azure, is something that can be done. So, I decided to build a deployment as a Proof of Concept and to write a blog post about this deployment.

This post will provide instructions and all the necessary steps to prepare, upload and run pfSense-2.2.3 in Microsoft Azure.

Please note, that FreeBSD is not currently an endorsed distribution in Microsoft Azure and therefore is not supported.

Resources
Design

Let’s put, what we want to achieve, into context. The deployment’s design is as follows:

 pfSense01

Procedure

In order to prepare a pfSense image for Microsoft Azure, we should download the latest x64 image and install it locally, on a server with Windows Server 2012 R2, as a Hyper-V Virtual Machine:

  1. Download the latest x64 pfSense image from Latest Stable Version of pfSense (As of July 2015 the latest version is 2.2.3)
  2. Decompress the image file to extract the Installation ISO pfSense-LiveCD-2.2.3-RELEASE-amd64-20150623-1637.iso
  3. Attach the ISO file as a DVD Drive to newly created Hyper-V Virtual Machine

pfSense02

  1. Start the installation of pfSense

pfSense03

  • After successful installation of pfSense, enable SSH

pfSense04

  • Install Python 2.7 and required modules

You should symlink the new python 2.7 binary

  •  Install sudo

Typically on Azure, root account is disabled and we using uprovileged user to login. An unprivileged user should utilize sudo to run commands with elevated privileges.

  •  Install the Azure Linux Agent

GitHub is the repository where you can find the latest version of Azure Linux Agent

https://github.com/Azure/WALinuxAgent

Version 2.0.10 or later is required for FreeBSD. Branch 2.0 is typically very stable and as of July 2015 the latest version is 2.0.14.

  • Set IP Addresses

Configure WAN (hn0) Interface as DHCP client.

Assign Static IP Address, 172.16.2.10, to LAN (hn1) Interface

pfSense05

  •  Shutdown The pfSense Virtual Machine

Now the pfSense Virtual Machine is ready for running in Microsoft Azure.

Upload the pfSense-2.3.3 VHD to Azure

Using the following PowerShell commands, first we upload the pfSense VHD to Microsoft Azure Storage Account and then we create a custom image:

Note that we are using OS type Linux instead of FreeBSD as it is not currently supported.

Create a Multi-NIC Virtual Machine

The custom image that we created previously, can be used in order to create a pfSense Virtual Machine with two Virtual Network Interfaces (vNIC), in Microsoft Azure. More details about creating a Virtual Machine with Multiple vNICs in Microsoft Azure, you can find in a previous post here:

Create a Virtual Machine with Multiple NICs in Azure IaaS

A pfSense Virtual Machine with two vNICs will be created by running the following PowerShell commands:

Setup User Defined Routes

With user defined routes, we have complete control over the traffic flow in our virtual network. Virtual network by default provides system routes for traffic flow between virtual machines. Now, we can customize the routing table by defining routes and that is allowing us to direct traffic through pfSense Virtual Machine that we have just created. Routes can be defined inside a routing table and applied to subnets. Every VM within a subnet automatically inherits the routes from the routing table.

The following PowerShell commands, allowing us to:

  • Create the routing tables
  • Create routes in the routing tables
  • Apply routing tables to subnets
  • Enable IP Forwarding on pfSense’s vNICs
The pfSense Virtual Machines must be able to receive incoming traffic that is not addressed to itself and this is the reason to enable IP forwarding.

12 thoughts on “Running pfSense as an Azure IaaS Virtual Machine

  1. Dan

    I noticed the twitter post saying the pfsense say there are some serious shortcomings with this setup; do you know what these are and are they insurmountable and should we wait for the official image?

  2. Vaggelis Kappas Post author

    I didn’t notice any serious or insurmountable shortcomings. This procedure has led to a production environment, that is working perfectly until now. However, an official image that is engineered by Microsoft and pfSense teams together is always better.

  3. Bob

    Do you have any information on setting up the load balancer to forward all traffic instead of having to build a million NAT rules from Public IP > Front end IP of PF sense followed by the same rules passing traffic to the server vnet?

    hope that makes sense

    1. Vaggelis Kappas Post author

      Azure Load Balancer will do port translation and load balance the network traffic, by leveraging the public IP address for the cloud service.

      In the classic deployment model, port translation is done through endpoints that have a one-to-one relationship between the public assigned port of the public IP address and the local port assigned to send traffic to a specific virtual machine.

      Another way to access an Azure VM is the Instance Level Public IP (ILPIP) which is a public IP address that you can assign directly to your VM or role instance, rather than to the cloud service that your VM or role instance reside in. Please keep in mind that ILPIP is an IP directly assigned to an Azure VM without any protection like firewall, DDOS etc.

  4. Ryan

    Thank You Vaggelis for this. What I mean is I have to create a NAT rule for every port I want to be allow to access PF Sense. I.e I cant say Port Range * to Port Range * go to PF Sense DMZ NIC1

    IT has to be 1 rule at a time ie

    443 to DMZ NIC1
    51 to DMZ NIC 1 and so on

    Also having problems uploading the VHD

    setting this up is proving a challenge between the load balancer and assigning NICS etc

    1. Vaggelis Kappas Post author

      This is correct. You have to create an Endpoint for each port you want to forward to pfSense and then create a pfSense rule to allow the traffic to this port. Using Powershell for Endpoint creation will simplify the process on Azure side.

  5. Christian

    The official PFSense version do not deploy correctly and with an A3 or D Series VM (to allow multiple NICs) the setup gets costly quick.

    @Vaggelis, would you mind to update the guide für the new Azure Portal / Azure Resource Manager? I am trying to follow your guide and using Input from here: https://github.com/Azure/azure-quickstart-templates/blob/master/201-specialized-vm-in-existing-vnet/azuredeploy.json but the PFSense VM is not spinning up. The HDD remains a 0 Byte disk and at the end the deployment times out.

    1. Vaggelis Kappas Post author

      Sure, actually is on my plans first to update the guide, in order to be valid for the Azure Resource Manager model and then to write a new blog post about how you can use a single NIC VM to protect your Azure Virtual Network.

  6. Rb

    Hi,
    This is an excellent article.
    Unfortunately I am having issues installing the Azure Linux Agent as wget or fetch commands are unrecognized by pfsense. I am running the pfSense version 2.3.2 using Hyper V on Windows Server 2012. I was able to install python and sudo but azure linux agent has proved to be tricky. Any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *

(Spamcheck Enabled)