Deploy an open source pfSense firewall
This guide will help you deploy your open source pfSense firewall in the Cloud of Trust in just a few minutes.
Prerequisites
The prerequisites for this guide are as follows:
- Have subscribed to the Cloud Temple offering: you must have your organization, tenant, and access credentials,
- Have permissions on the compute module.
This document describes the steps required to deploy a virtual pfSense firewall.
Deploy an open source pfSense firewall
pfSense is an open source project based on FreeBSD that enables the deployment of a virtual firewall.
A pfSense firewall is managed via a web interface, so you need a second machine with a graphical interface that has an IP address within the same LAN network as the firewall in order to configure it.
We will need a pair of virtual machines:
- The first one will be the machine where we deploy the firewall.
- The second one will be the machine from which we will administer the firewall.
Request an Internet Access Delivery
The first step is to retrieve your internet access information here.
You must have the following information:
- public prefix
- interconnection prefix
- any-cast gateway
- IP range
- local AS
- Cloud Temple AS
- keepalive timers and hold-time timer
- route server addresses
Network Interface Installation and Configuration
You can then deploy your pfSense VM:
- Install the firewall from the pfSense template in Console:
- Configure the LAN and WAN interfaces of the firewall: the WAN interface must be in your internet VLAN, with its IP address assigned from the IP range provided by the CDS, along with the default gateway.
- Deploy the second management machine.
- Configure the interface of the management VM: this machine must be on the same network as the one where the firewall's LAN interface was configured.
Accessing the Firewall
Once both VMs are properly installed, the next step is to access the firewall to begin its configuration.
- Access the firewall's web interface from the management VM:
- Default login credentials:
- username: admin
- password: pfsense (remember to change the default password)
Firewall Configuration
This step involves configuring the BGP neighbors on the firewall.
- First, make sure to allow BGP traffic over TCP port 179 in 'Firewall > Rules':
- Go to 'Services > FRR BGP' to begin configuring your BGP session:
- Check the first two boxes and enter your local AS number and the timers provided by the CDS.
BGP Neighbor Configuration
In the Neighbors section, click +Add to start creating your BGP neighbors.
- For each neighbor: enter its IP address in 'General Options > Name/address':
- Enter the remote AS (corresponding to the Cloud Temple AS number) in the Basic Options as follows:
- Finally, in the Advanced Options, perform the following:
- Check the box that defines the neighbor type. In our case, it is a route server:
- Lastly, don't forget to save your changes by clicking 'Save':
Checking the BGP session status with neighbors
In Status, you can view the state of the BGP session you just configured.
Ensure that the BGP State is set to established.
Announce your public prefix
To announce your public prefix, you can create /32 routes and redistribute them as static:
- In System > Routing > Static Routes : create your static routes as /32, setting the Gateway to Null4-127.0.0.1.
- In Services > FRR package > BGP > Network Distribution : enable
redistributionlocally by selecting IPV4 inRedistributeFRR static routes.