Azure: Custom pfSense on Azure VM
Overview
A complete guide on how to
- create a pfSense VM on a local Hyper-V server,
- prepare it for Microsoft Azure,
- upload the disk to Azure and
- create a multi-NIC VM.
Download
Download the latest image from https://www.pfsense.org/download/
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a46417942ce4.png
Create VM
Open Hyper-V Manager and create a Generation one VM. We added 4096 ram, two cores, used VHD, added an extra NIC (for the second interface) and selected the downloaded ISO.
Create a fixed VHD as Azure supports only fixed VHDs for custom VMs.
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a4612db0c33f.png
Boot from iso and install pfSense
Start the VM and at the first screen press Enter.
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a4611c229af2.png
At all screens, we accepted the default settings. Finally, at the reboot prompt remove the installation ISO.
There is no need to setup VLANs. Select the second interface for WAN and the first for LAN.
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a4614323b079.png
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a46147b409db.png
Once the pfSense is ready to press 2 and set the LAN (hn0) interface IP to one on your network. Select option 14 to enable SSH.
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a464549bd64f.png
Now we can log in with Putty, with username admin password pfsense and press 8 for Shell access.
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a4619a436eb5.png
The first thing is to update the packages running:
pkg upgrade
Python
Install Python, as it is a requirement for the Azure Linux Agent.
Search for Python packages running:
pkg search python
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a46475c9ca1b.png
Install the latest Python package, setup tools, and Bash:
pkg install -y python27-2.7.14
pkg search setuptools
pkg install py27-setuptools-36.2.2
ln -s /usr/local/bin/python /usr/local/bin/python2.7
pkg install -y bash
Azure Linux Agent
ref: /en-us/azure/virtual-machines/linux/create-upload-generic
pkg install git
git clonehttps://github.com/Azure/WALinuxAgent.gi
cd WALinuxAgent
git tag
git checkout WALinuxAgent-2.1.1
git checkout WALinuxAgent-2.0.16
python setup.py install
ln -sf /usr/local/sbin/waagent /usr/sbin/waagent
Check the agent is running:
waagent -Version
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a46540428ee9.png
Set LAN interface
One final step before uploading the VHD to Azure is to set the LAN interface as DHCP. This can be done by the web interface.
Go to https://lanaddress, log in using admin / pfsense, and go to interfaces / LAN and select DHCP as IPv4 Configuration Type.
https://www.e-apostolidis.gr/wp-content/uploads/2017/12/img_5a469d4f2dd21.png
Upload to Azure
Now, shut down the pfSense and upload it to Azure Storage.
Use Storage Explorer ( https://azure.microsoft.com/en-us/features/storage-explorer/), a free and powerful tool to manage Azure Storage. Login to your Azure Account and press Upload. Select as Blob type: “Page blob”
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4cc0ac27e62.png
Create multi-NIC VM
After the upload is completed we can create a multiple NIC VM. This cannot be accomplished from GUI. We will create this using PowerShell.
$ResourceGroupName = "******"
$pfresourcegroup = "*******"
$StorageAccountName = "******"
$vnetname = "*****"
$NSGname = "******"
$location = "West Europe"
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$backendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name default -VirtualNetwork $vnet
$vmName="pfsense"
$vmSize="Standard_F1"
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$pubip = New-AzureRmPublicIpAddress -Name "PFPubIP" -ResourceGroupName $pfresourcegroup -Location $location -AllocationMethod Dynamic
$nic1 = New-AzureRmNetworkInterface -Name "EXPFN1NIC1" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pubip.Id
$nic2 = New-AzureRmNetworkInterface -Name "EXPFN1NIC2" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id
$VM = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
$VM | Set-AzureRmVMOSDisk `
-VhdUri https://********.blob.core.windows.net/vhds/pfsensefix.vhd `
-Name pfsenseos -CreateOption attach -Linux -Caching ReadWrite
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id
$vm.NetworkProfile.NetworkInterfaces.Item(0).Primary = $true
New-AzureRMVM -ResourceGroupName $pfresourcegroup -Location $locationName -VM $vm -Verbose
Once the VM is created, go to the VM’s blade and scroll down to “Boot diagnostics”. There you can see a screenshot of the VM’s monitor.
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4cddde2157b.png
Go to the Networking section and SSH to the Public IP.
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4ce2adeacc3.png
Also, we can log in to the Web Interface of pfSense
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4ce3fe0353a.png
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4ce85fe97a1.png
In this case, we have added both NICs at the same Subnet, but in a production environment add the LAN interface to the backend subnet and the WAN interface to the DMZ (public) subnet.
Of course, more NICs can be added to the VM, one for each Subnet in our environment.
Route external traffic through the pfSense
We cannot change the gateway at an Azure VM, but we can use routing tables to route the traffic through the pfSense.
From the Azure Portal, select New and search for Route table.
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4ce9f90f26b.png
We need to configure two things. One is to associate the Route table to a Subnet and the second is to create a Route.
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4ceae539c0b.png
Open the “Route table” and click the “Routes”. Press “Add route” and in order to route all outbound traffic through the pfSense then add for Address prefix “0.0.0.0”, next hop type Virtual appliance” and Net hop address the IP address of the pfSense’s LAN interface IP.
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4cec67cf571.png
Then go to the “Subnets” and associate the required subnets.
https://www.e-apostolidis.gr/wp-content/uploads/2018/01/img_5a4ced5dacef4.png
