Netgate SG-1000 microFirewall

Author Topic: My Adventures of a Working(ish) Azure HA pfSense Deployment  (Read 340 times)

0 Members and 1 Guest are viewing this topic.

Offline io

  • Newbie
  • *
  • Posts: 6
  • Karma: +2/-0
    • View Profile
My Adventures of a Working(ish) Azure HA pfSense Deployment
« on: December 27, 2017, 10:39:14 am »
Hi, just wanting to share my experiences/setup in case it helps someone down the road.  I'll format better if there is any actual interest in this/discussion.  Would be great if anyone has additional insight on why my additional UDR step works and if anyone had success with utilizing HA Ports Load Balancing on Azure.

Some disclaimers:
1) I am self taught, so some of this may not be (most likely) valid/correct (please feel free to pitch in on suggestions/comments/etc.)
2) Working(ish) = active/active with replication between the two pfSense instances working (looks like state synchronization works too... which is surprising to me).  However, I was not able to get Azure internal load balancer (preview - HA Ports) to work to get a true active active setup :( ... meaning all traffic hits one pfSense box only currently =P... but at least my other one is synced lol)
3) Overall setup is 2 pfSense servers {2.4.1} with 4 nic deployment. Both servers are running open vpn.


The Beginning
I started with this project prior to the official Azure deployment availability on marketplace. I download the pfSense ISO and booted up and installed utilizing hyper-v.  Virtual Box would not work for me as NIC's need to be named hn0 for Azure to behave properly. I configured only a WAN adapter.  After basic configuration, I uploaded the vhd to Azure and created a vm from this image (adding four nics via PowerShell).  As a note, these are deployed to an availability set.

As time went by, newer versions of pfSense came out, and I updated via the GUI.

Moving from single nic to four nics via the UI
pfSense gui detected all the nics I created without a hitch.  They are set to unassigned state initially.  One important lesson I learned is after assigning my nics, I would end up getting locked out of the web gui.  Early stages, simply set a pass all TCP rule on all interfaces (tweak later).

NICs are set to DHCP to pull azure ip.  Remember to set all nic's to static.

my four nics are: (ngfwwan)  | box 2 is 2.11 (ngfwdmz) ***not utilizing currently  | box 2 is 3.11 (ngfwsync)  | box 2 is 4.11 (ngfwlan)  | box 2 is 5.11

I set OpenVPN to run on LAN. Port forward 1194 on WAN to localhost.  Azure NSG needs to allow 1194 UDP to the WAN adapter private ip. Client pool is

I created an internet alias -- I imported the IP range for the internet from Azure's listing.

Outbound Nat (both pfSense)
I set to manual outbound NAT. , *,* to WAN, *, * to WAN, INTERNET to WAN INTERNET to WAN

Static Routes (both pfSense)
create a new gateway called lan_gw

set the ip to , turn off monitoring

for your static routes , utilize LAN gw & utilize LAN gw.



DMZ_UDR (apply to DMZ subnet): next hop virtual appliance next hop virtual appliance

WEB_UDR (apply to WEBsubnet): next hop virtual appliance next hop virtual appliance

LAN_UDR (apply to ngfw-lan subnet): next hop virtual appliance
****Note, none of the tutorials I found or posts I found did this with UDR... I'm not sure why this worked for me, but this is the only way I can get the VM's behind pfSense to actually be able to get out to do apt-get updates etc.

setup ha
both firewall
sync adapter firewall rules (both firewalls): tcp source sync net * * * *

box 1, system ha

check mark sync status, select sync interface
peer ip =

sync config to ip ( ) , admin , password of pfSense2 box
check mark what makes sense ( i did first 6 + openvpn)

box 2, system ha,
check mark sync status, select sync interface
peer ip =

do not fill out anything else

What would be ideal is to have a HA Port load balancer balancing both lan nics ( & 5.11).  dmz udr would instead hop to the load balancer ip.

I need to figure out why the hop to my wan adapter is the only way I can get this thing to work.
« Last Edit: December 27, 2017, 10:45:19 am by io »

Offline bwlinux

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: My Adventures of a Working(ish) Azure HA pfSense Deployment
« Reply #1 on: January 03, 2018, 10:58:11 am »
Thanks for the post.   I have to implement something like this and well.... I haven't even created my first 2 Nic pfSense instance from the az CLI yet.

Just glad to know what I want to do is reasonably possible.