pfSense Gold Subscription

Author Topic: pfSense is now on Azure  (Read 8762 times)

0 Members and 1 Guest are viewing this topic.

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 344
  • Karma: +101/-31
    • View Profile

Offline mzac

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #1 on: May 19, 2016, 12:37:43 pm »
Awesome! I tried to deploy (with success) but can't get it to provision more than one NIC to the VM.  Any hints on what I should be doing?

I created a new virtual network (for LAN) and added another NIC to the resource group, however when I go to edit the VM I don't see that I can add a second NIC.

- Zac

Offline mgsmith

  • Newbie
  • *
  • Posts: 6
  • Karma: +3/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #2 on: May 20, 2016, 08:08:25 am »
Azure won't allow you to deploy a VM with multiple NICs unless you use PowerShell to provision the VM and it is only supported on large instance sizes (A3 or larger). There are instructions on the PowerShell commands to deploy a multiple NIC VM here: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/.

Offline mgsmith

  • Newbie
  • *
  • Posts: 6
  • Karma: +3/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #3 on: May 20, 2016, 10:46:47 am »

The image can only be deployed in "resource manager" mode in azure. Some of the "classic deployment" powershell commands that show up in different tutorials on deploying multiple NIC instances in Azure won't work. You have to look for the links that mention deploying under ARM or Resource Manager.

This is probably a better overview than the one I posted before: https://azure.microsoft.com/en-us/documentation/articles/virtual-network-deploy-multinic-arm-ps/

The script linked to in that page is here: https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/IaaS-Story/11-MultiNIC/arm/virtual-network-deploy-multinic-arm-ps.ps1

If you are trying to use the script above as a model for launching an instance, you would use "Netgate" as the publisher, "netgate-pfsense-appliance" as the offer, "pfsense-router-fw-vpn-225" as the sku.


Offline desertrogue

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #4 on: May 22, 2016, 08:08:17 am »
This is great news!.

Quick question, when I try to build the VM in Azure , I get the message " Not offered in the region of your subscription" This was a bit of an anti climax as we had been waiting for this release.

Can any one advice what regions this is available in? And when it is expected to be available in more regions?

Best Regards,


Offline covex

  • Full Member
  • ***
  • Posts: 207
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #5 on: May 24, 2016, 06:37:50 pm »
Azure won't allow you to deploy a VM with multiple NICs unless you use PowerShell to provision the VM and it is only supported on large instance sizes (A3 or larger). There are instructions on the PowerShell commands to deploy a multiple NIC VM here: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/.
so there is no way to use pfsense on anything smaller than a3? a0 and 1 allow only 1 nic but they can't be on 2 different vnets

Offline covex

  • Full Member
  • ***
  • Posts: 207
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #6 on: May 25, 2016, 06:49:01 pm »
anyone successfully deployed this?

Offline lemb

  • Newbie
  • *
  • Posts: 7
  • Karma: +1/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #7 on: May 28, 2016, 04:42:56 pm »
Does anyone know when pfSense will be available for CSP subscriptions?

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 344
  • Karma: +101/-31
    • View Profile
Re: pfSense is now on Azure
« Reply #8 on: May 28, 2016, 05:25:24 pm »
This is great news!.

Quick question, when I try to build the VM in Azure , I get the message " Not offered in the region of your subscription" This was a bit of an anti climax as we had been waiting for this release.

Can any one advice what regions this is available in? And when it is expected to be available in more regions?

Best Regards,

It's available in every region where Microsoft deals with the tax risk.   It's not available where we would have to deal with it ourselves.

Offline Coldaddy

  • Jr. Member
  • **
  • Posts: 29
  • Karma: +2/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #9 on: June 20, 2016, 02:43:33 pm »
Does anyone know when pfSense will be available for CSP subscriptions?

Since the pfSense appliance is "commerce-enabled" (meaning it is enabled for per/hr fee paid to Microsoft and passed through to the vendor) it is not showing up yet for CSP subscriptions. Commerce-enabled images should be available sometime in the 2nd half of 2016. Note that BYOL images are available under CSP...maybe Netgate could provide this option in the marketplace??

Steve

Offline PanicAcid

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #10 on: August 22, 2016, 03:46:03 am »
Hey guys,

Glad to see this on the Azure market place, it will hopefully make my life a damn sight easier with regards to terminating mulitple site vpn's onto azure, currently our only option is to spend money on routers that support policy based routing or create an abundance of separate VPNs.

I'm trying to deploy the pfSense image however I'm having problems with the deployment failing through the new web portal. Does anybody have any instructions on what I need to do there? I've tried it on an A0 and A1 VM although reading through this somebody has speculated that it needs to be A3 or above? That's a rather costly monthly bill for a router if so?

Any guides or help on this one would be mucho appreciated. We have countless clients on Azure and I would love to get them all switched over to this if I can prove it does what we need.

Offline PanicAcid

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #11 on: September 09, 2016, 04:59:00 am »
OK so I've managed to get pfSense deployed, it was to something to do with spending limits on my account stopping me from deploying from the market place.

However I've deployed it on an A0 VM with a single NIC, it's accessible on its Azure public IP and internally. As far as the pfSense VM is concerned it's WAN IP is 10.0.0.254.

So I'm wanting to use this in 'appliance' mode just for being an endpoint for IPSec VPNs for Site to Site VPNs to Azure.

I've setup what I believe should work as a pfSense to pfSense VPN over IPSec but it's not dialing... Could this be because my on premise pfSense router is dialing to the public IP but the Azure pfSense doesn't see that as being it's public IP?

Any input on this one would be appreciated as we have a lot of clients on Azure that we can roll this out to as it will save them a fortune in buying approved model SonicWALLs specifically for route based VPNs to Azure.

Thanks again

Panic

Offline chedxb

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #12 on: October 03, 2016, 05:49:28 am »
I am getting "Unable to display pricing" for all VM sizes message when I try to deploy PfSense on Azure.

Any idea why I can't see price info?

Offline janaka

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #13 on: October 08, 2016, 09:00:19 pm »
Hi,

I had the same issue and I had a frankly discussion with the Microsoft Azure team. They told me the same things what is said jwt before in this thread. Also they told me to provide valuable feedback in their feedback forum.

I believe if you could vote and submit your comments there, then they will consider to provide this facility to all region.

https://feedback.azure.com/forums/34192--general-feedback/suggestions/16558378-pfsense-for-azure-allow-this-facility-in-all-reg

Thanks and Best Regards
Janaka
« Last Edit: October 08, 2016, 09:05:51 pm by janaka »

Offline MoTec

  • Newbie
  • *
  • Posts: 1
  • Karma: +1/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #14 on: March 20, 2017, 11:46:31 am »
Does anyone know when pfSense will be available for CSP subscriptions?

Still not available.   Such a disappointment to find this out as I was going to deploy one in production.  Got it working great in my test subscription (MSDN) but am unable to deploy the appliance in the production subscription because was purchased via CSP.   

10 times the cost to deploy another solution just to be able to connect multiple sites with policy based (static) VPNs. 

/sigh

Offline Nic Swart

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #15 on: December 02, 2017, 03:29:23 pm »
Ok, here is the full instructions, set up a Hyper-V Generation 1 instance with VHD ... NOT VHDX drive with two nics, then run this script in the VM:

Code: [Select]
#! /bin/sh

# After installation, log in and choose:
#  14) to enable sshd
#  8) to login shell

pkg upgrade

pkg install -y python27 py27-setuptools bash git sudo
ln -s /usr/local/bin/python2.7 /usr/bin/python

echo 'ifconfig_hn0="SYNCDHCP"' >> /etc/rc.conf
echo 'console="comconsole vidconsole"' >> /boot/loader.conf
#echo 'comconsole_speed="115200"' >> /boot/loader.conf
echo 'kldload udf'  >> /boot/loader.conf
echo 'vfs.mountroot.timeout=300'  >> /boot/loader.conf
curl -O https://<extract this file from the BSD 11.1 image>/udf.ko
mv udf.ko /boot/kernel/

git clone https://github.com/Azure/WALinuxAgent.git
cd WALinuxAgent
git checkout v2.2.14
python setup.py install
ln -sf /usr/local/sbin/waagent /usr/sbin/waagent
ln -sf /usr/local/sbin/waagent2.0 /usr/sbin/waagent2.0
echo '#! /bin/sh' >> /usr/local/etc/rc.d/waagent.sh
echo '/usr/local/sbin/waagent --daemon' >> /usr/local/etc/rc.d/waagent.sh
chmod +x /usr/local/etc/rc.d/waagent.sh
echo "y" |  /usr/local/sbin/waagent -deprovision+user
echo  'waagent_enable="YES"' >> /etc/rc.conf

Then provision the VM like so:

Code: [Select]

$rgName = "RESOURCEGROUP"
$localFile = "C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\pfSense.vhd"
$urlOfUploadedImageVhd = "https://RESOURCEGROUP.blob.core.windows.net/vhds/pfSense-2.4.2.vhd"
$location = "Central US"

# Create the Source Image
Add-AzureRmVhd -Destination $urlOfUploadedImageVhd -LocalFilePath $localFile -ResourceGroupName $rgName
$imageConfig = New-AzureRmImageConfig -Location $location
$imageConfig = Set-AzureRmImageOsDisk -Image $imageConfig -OsType 'Linux' -OsState 'Generalized' -BlobUri $urlOfUploadedImageVhd
$imageName = "pfSense-2.4.2"
$sourceimage = New-AzureRmImage -ImageName $imageName -ResourceGroupName $rgName -Image $imageConfig

# Create the VM
$rgName = "RESOURCEGROUP"
$location = "Central US"
$imageName = "pfSense-2.4.2"
$VMName = "pfSense"
$ComputerName = "pfSense"
$OSDiskName = "pfSense-OSDisk"
$VMSize = "Standard_D2S_V3"
$userName = "pfsense"
$publicIPName = "pfSense-PublicIP"
$publicNICNmame = "pfSense-PublicNIC"
$privateNICNmame = "pfSense-PrivateNIC"
$vnetName = "privateVnet"
$sshPublicKey = "PUBIC_KEY"

$sourceimage = Get-AzureRmImage -ResourceGroupName $rgName -ImageName $imageName

# Definer user name and blank password
$securePassword = ConvertTo-SecureString ' ' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($userName, $securePassword)

# Create a public IP address and specify a DNS name
$pip = New-AzureRmPublicIpAddress -ResourceGroupName $rgName -Location $location -Name $publicIPName -AllocationMethod Static -IdleTimeoutInMinutes 4

$vnet = Get-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
# Create a virtual network cards and associate with public IP address

$subnet_dmz = "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Network/virtualNetworks/privateVnet/subnets/dmzSubnet"
$IPconfig1 = New-AzureRmNetworkInterfaceIpConfig -Name "IPConfig1" -PrivateIpAddressVersion IPv4 -PrivateIpAddress "10.1.1.50" -Primary -SubnetId $subnet_dmz -PublicIpAddressId $pip.Id
$nic1 = New-AzureRmNetworkInterface -Name $publicNICNmame -ResourceGroupName $rgName -Location $location -IpConfiguration $IPconfig1 -EnableIPForwarding

$subnet_priv = "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Network/virtualNetworks/privateVnet/subnets/privateSubnet"
$IPconfig2 = New-AzureRmNetworkInterfaceIpConfig -Name "IPConfig2" -PrivateIpAddressVersion IPv4 -PrivateIpAddress "10.1.0.50" -SubnetId $subnet_priv
$nic2 = New-AzureRmNetworkInterface -Name $privateNICNmame -ResourceGroupName $rgName -Location $location -IpConfiguration $IPconfig2 -EnableIPForwarding

# Create the virtual machine configuration
$vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize $VMSize |
            Set-AzureRmVMOperatingSystem -Linux -ComputerName $ComputerName -Credential $cred -DisablePasswordAuthentication |
            Set-AzureRmVMSourceImage -Id $sourceimage.Id |
            Set-AzureRmVMOSDisk -Name $OSDiskName -StorageAccountType StandardLRS -DiskSizeInGB 256 -CreateOption FromImage -Caching ReadWrite |
            Add-AzureRmVMSshPublicKey -KeyData $sshPublicKey -Path "/home/$($userName)/.ssh/authorized_keys" |
            Add-AzureRmVMNetworkInterface -Id $nic1.Id -Primary | `
            Add-AzureRmVMNetworkInterface -Id $nic2.Id

# Create the virtual machine
New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

Change the IP addresses to match what you specified when you initially created the VM and the (pre-created) vNet/Subnets.... not for the script kiddies, but if you go through these scripts and fill in the missing info you will get a functional instance on Azure ... ;-)
« Last Edit: December 02, 2017, 03:55:48 pm by Nic Swart »

Offline AlBrough

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: pfSense is now on Azure
« Reply #16 on: December 06, 2017, 08:26:56 pm »

Code: [Select]

curl -O https://<extract this file from the BSD 11.1 image>/udf.ko



 Worked this one out. went to the bsd site, downloaded the boot only iso, found the udf.ko file, added it to my local web server and was able to curl it down... make sure it is lowercase, the file name was all upper and had us troubleshooting
« Last Edit: December 07, 2017, 10:09:15 pm by AlBrough »