his image is unsupported. This means that we don't provide any guarantees or support on the software within the image.
pfsense Gateway VM 1
Create a new Openstack instance:
Choose a "Standard 3" Flavor and select the pfSense image:
pfsense does not support cloudinit, so click Next:
Choose "Attach directly to the Public Internet":
Choose "Allow all traffic":
Choose Finish. The server will now start building.
When it is finished building, open it and turn it off:
This is needed because we are now going to create the private network.
We need to attach a port to the VM and pfsense does might not see it
when it is hot plugged.
Choose the Networks menu option:
Choose New Network:
Create a new network with the following options:
- Name: Choose one
- IPv4 Addres Range: Choose one, for example 192.168.10.0/24
- Disable routing
- Uncheck "Automatically assign IP addresses with DHCP"
Choose "Create Network"
pfsense Gateway VM 2
Go back to the pfsense instance (Servers --> pfsense vm). Make sure it
is still off, the status should be "Shutt off":
Choose "+Attach Network":
Choose the network to add, the one we just created:
Make note of the IP addresses:
Now navigate back to the "Networks --> the network we created". Make
note of the MAC address which belongs to the Port for the IP address of
the pfsense VM:
We need this to check which interface in pfsense is the internal one
(LAN) and which is the external one (WAN).
Navigate back to the pfsense vm (Servers --> pfsense VM).
Choose Start up:
Open the Console:
Wait for the VM to boot up. When the menu appears it is fully booted up.
The vtnet0 WAN interface should have a public IP via DHCP:
Choose option 1, Assign Interfaces.
Check the MAC address of the vtnet0 and vtnet1 interfaces. The vtnet1
interface should have the MAC of the private network we noted earlier:
We do not want to set up VLAN's right now, so type N.
Enter `vtnet0` for the WAN interface.
Enter `vtnet1` for the LAN interface.
Enter Y, we want to proceed.
Now in the main menu, type 2 to assign interface IP addresses.
Start with 1, the WAN interface.
Type Y, we want DHCP for the WAN.
Type Y again, we also want DHCP for IPv6.
Type N, we don't want the webinterface on HTTP.
Type 2 again, we are now going to configure the LAN interface.
Enter 2 as the interface number, for the LAN interface.
Enter the IPv4 address we got from the network port earlier, in this
case for me it is `192.168.10.2`.
Enter 24 as the subnet count.
Enter nothing at the gateway, it is the LAN interface.
Enter nothing at the IPv6 address.
Enable the DHCP interface on LAN, type Y.
Give the start of the range, in this example we'll use `192.168.10.100`.
Type the end of the range, in this example we'll use `192.168.10.200`.
Enter N, we do not want to go back to HTTP as the configuration protocol.
You are now able to open the pfsense web interface on the IP address
shown at the vtnet0 interface:
Login with the default username and password, `admin` and `pfsense`.
Check the interfaces. Both should have a green arrow and an IP address.
If you have a red arrow, configure the interfaes again and make sure to
check the MAC addresses.
Navigate to "System --> Routing":
We need to set the correct gateway. This is not done by DHCP yet. In my
case, the external IP is `220.127.116.11`. However, the gateway is set
to `18.104.22.168`. This should be corrected. Click the little E at the
Set the gateway to the correct one for the IP address. In this case it
Click Apply Changes:
Now navigate to "Firewall --> NAT":
Open the "Outbound" tab.
Select "Automatic outbound NAT rule generation". Click Save.
Click Apply Changes.
We are now done with the pfsense setup. To test it, create a new VM, for
example, a Windows Server 2012 one.
Attach it to our new pfsense private network:
Make sure to select Allow All Traffic.
Once it is spawned, it should have an IP in our new private network:
Open up the console, and go through the setup.
Choose a country and language.
Accept the EULA (if you agree with it, of course).
Choose an administrator password.
Navigate to the Network Adapter settings. If you cannot find it, open up powershell and type `ncpa.cpl`. Edit the properties of the network adapter and set the IP address openstack gave you in the private range. In our case, `192.168.10.3`.
You can check in pfsense under "Diagnostics --> ARP Table" if the MAC and IP address of our new test VM appear, on the LAN interface:
Here is a screenshot from the Windows 2012 test machine showing it's IP configuration, plus a webpage and a ping:
Do note that that screenshot is of another test windows machine in the same network.
If you have any trouble, check the pfsense logging pages. Try to do a tcpdump to see where the packets come and go (`tcpdump -i vtnet0 'port 80'`). Check the pfsense state overview. You should see Established States. Make sure the VM's are all in the allow-all security groups.
Do note that you must disable hardware checksum offloading. If you leave this on, the appliance will be extremely slow.
- Navigate to System > Advanced on the Networking tab
- Check Disable hardware checksum offload under the Network Interfaces header.
- Click save