How to create a PFSense VM in Azure using a custom image created in Hyper-V.
PFSense is an excellent free firewall and this guide will take you through how to put the PFSense image onto an Azure VM and how to then set it up as a firewall in an Azure network.
Creating the .vhdx file in Hyper-V:
First, download the ISO file from https://www.pfsense.org/download/ and unzip it.
This guide uses Hyper-V to create a VHDX image of PFSense, but any virtualisation software should be fine as long as it can convert to VHDX.
Go to Hyper-v and create a new virtual machine using the following settings:
- Any suitable name
- Generation 1
- At least 1gb of memory
- Connection can be left alone for now
- At least 8gb disk. We recommend 16gb, however the larger you make it the longer it will be to upload and the greater the azure storage costs.
- Install an operating system from bootable CD/DVD-ROM, image file (.iso) and browse to the PFSense iso file you downloaded earlier
Go into the properties of the newly created VM and select add hardware at the top and add Network Adapters until you have 2. Make sure that you select the virtual switch for one of the network adapters to be an internal network that you have a windows VM that you can use to connect to the PFSense interface with. If you don’t have a network already set up, go to Virtual Switch Manager in Hyper-V and create a switch with the Internal Network box checked.
Turn on the PFSense VM and connect into it. Start the install process and select your chosen language settings. Select the Auto (ZFS) partition setting and then stripe on the next screen, however any of the disk partitioning methods are fine.
Continue until it asks you if you would like to restart, and at this point eject the disk from the DVD drive. This will stop it from trying to go back through the installation process after being restarted.
Once the VM starts back up, assign the two network interfaces to the LAN and WAN network, you can see the MAC addresses of the network adapters in the VM settings in Hyper-V if you go to the network adapter and press the plus to expand out the options to the advanced options tab. Make sure the adapter on the LAN network is the one that you have connected to the internal virtual switch. It is easier using DHCP connections for both interfaces.
Once this is complete you should come to a screen with options 1 to 16. You will probably want to select option 2 so you can set a new private IP for the LAN interface, enabling you access to it from the web console. After pressing 2, select the LAN interface and choose an IP you know is not in use in the range of the local network and set the bit count to be the value of the subnet mask of the network (e.g 24 for a 192.168.1.xxx network). For the rest of the options press skipped or n as none of them are needed.
Now connect to a VM on the same network as PFSense and open up the web console by going to the web address of the ip you set the LAN network to (e.g. https://192.168.1.1/). This should prompt you with a login screen and from here use the default credentials Admin as the username and pfsense as the password. For all of the pages you can just press next and leave the config on default apart from setting your own admin password when it asks for it. Once you are happy with the setup, shut down the VM and note where you stored the vhd file.
In Hyper-V Select Action, Edit Disk and locate the .vhd file of the PFSense VM you just created. Select convert and choose VHDX, Dynamically Expanding and then a location to store the new file. You should then upload this file to azure blob storage but make sure it is in the same region that you want to create the PFSense VM in.
Creating the Azure VM
Create a virtual network with two subnets, one for the PFSense firewall and one for the LAN network that you will put all your other VM’s in. We would recommend making the address ranges match those of the network you made PFSense in for simplicity.
In Azure, create a managed disk and select the source type to be a storage blob. This will allow you to browse for your uploaded file and create a disk image of it. You can then go to your new disk page and select create VM to create a VM from it or create a VM normally and select the disk as the source.
Create a new network interface card on the main subnet, make sure to enable IP forwarding in settings, ip configurations in the azure portal. Turn off the PFSense VM and attach the second network card to it and then start it up again.
RDP to a VM in Azure on the local subnet of PFSense and connect to the web interface at https://[LOCAL IP OF PFSENSE]/ with a web browser. Login using the credentials Admin and the password you set. From here you can configure PFSense and add any rules you want. We recommended to add a NAT rule to allow RDP to one of the VM’s on the virtual network, as once you apply the route table in the next step you will be unable to RDP to them directly. Remember that if you have a Network Security Group on the WAN NIC you will need to open up any external ports you use.
To route traffic from the VM’s through PFSense, you need to create a new route table in azure. It should have a route that points all traffic (0.0.0.0/0) to the IP of the network interface card that is on the main subnet with the other VM’s. This route table should then be applied to the main subnet. Once this is applied you should have a fully functioning PFSense firewall that you can configure to suit the requirements of your network.