Netgate SG-1000 microFirewall

Author Topic: Azure Firewall Setup  (Read 165 times)

0 Members and 1 Guest are viewing this topic.

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Azure Firewall Setup
« on: February 12, 2018, 08:28:34 pm »
Trying to configure a basic firewall in azure to pass traffic thru before it hits the VM's two interfaces simple setup what are the steps required to make this work. I have the netgate image installed on Azure currently. I want the ips of the vm's to be what is seen not one ip that gets nated. Any help is greatly appreciated.

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Azure setup
« Reply #1 on: February 13, 2018, 12:20:25 pm »
Does anyone have instructions for a simple Wan/Lan firewall deployment in Azure. I believe my issue is with the user-defined routes and nating. When ever i add the 0.0.0.0/0 route that points to the appliance i lose all connections to the virtual network machines on the subnet. I want the public ips to be what is sent out. What am I missing?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Azure setup
« Reply #2 on: February 13, 2018, 12:52:04 pm »
You want LAN public IPs to be routed from the outside to the inside VMs on the pfSense inside interface?

Does Azure even support routing like that? Without NAT, they would have to know to route the traffic to those addresses to the pfSense WAN address.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Azure Firewall Setup
« Reply #3 on: February 13, 2018, 03:40:08 pm »
We have several public ip's that azure has assigned to our different network interfaces i'd love to be able to continue to use them instead of putting it all through one firewall ip. Is that possible? It seems my error is somewhere in the routes as soon as i add 0.0.0.0/0 to the LAN route table I lose all the VM's. Over 3 days and can't get it talking correctly. Not sure what I'm missing here.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Azure Firewall Setup
« Reply #4 on: February 13, 2018, 03:44:17 pm »
I don't think you can do that.

I would put one on the same subnet as the LAN interface and try changing the 0.0.0.0/0 route on that and see if you at least can get a normal, natted LAN connection going.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Azure Firewall Setup
« Reply #5 on: February 13, 2018, 03:49:12 pm »
So attempt Lan and Wan on same subnet add the 0.0.0.0/0 and see if a NAT connection can be had. I'm no expert at networking could it be possible that 1:1 natting could be used to allow the use of the azure front facing public ips? How do we have two port 80's on one IP? We have a few front end applications we'd like to protect but they share several of the same ports currently we are doing this with NSG's.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Azure Firewall Setup
« Reply #6 on: February 13, 2018, 04:22:25 pm »
That can be done if:

1. Azure will route public addresses to the public address of pfSense. In this case you might be able to just use the publics as they are.

2. Azure will allow multiple public addresses on the WAN interface.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-powershell

You might be able to get away with one outside address for multiple inside servers by using something like HAproxy to steer the traffic to the correct server based on requested hostname or SNI.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Azure Firewall Setup
« Reply #7 on: February 13, 2018, 08:52:22 pm »
Any idea when I route 0.0.0.0/0 to the appliance i lose all communication to the vm's on the lan subnet?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Azure Firewall Setup
« Reply #8 on: February 13, 2018, 09:08:26 pm »
Did you try it like I suggested with an interface on the LAN subnet + NAT instead of those publics?

Azure has zero way of knowing it needs to route those inside publics to the pfSense WAN. If it is going to be possible, that needs to happen.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Azure Firewall Setup
« Reply #9 on: February 13, 2018, 10:08:52 pm »
I'm a little confused. Interface on the Lan subnet? what exactly would you like me to do with the interfaces and routes. Currently I have two interfaces in the system.
Wan = 10.0.3.5 and Lan 10.0.2.4

In azure I have to virtual subnets 10.0.3.0/24 and 10.0.2.0/24
Nat set to manual
allow all on the lan and wan for testing

been going at this 10/hrs a day since saturday I'll try anything at this point to get it working. Never was this hard to install pfsense locally :)

Help greatly appreciated


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Azure Firewall Setup
« Reply #10 on: February 13, 2018, 10:21:29 pm »
Quote
In azure I have to virtual subnets 10.0.3.0/24 and 10.0.2.0/24
Looks like that LAN interface is 10.0.2.4/32 to me.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Azure Firewall Setup
« Reply #11 on: February 13, 2018, 10:33:55 pm »
updated the LAN interface to /24 and removed the old NAT entries this is what I have now not even seeing the attempts to connect on the firewall log.

Offline twistedstorm

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Azure Firewall Setup
« Reply #12 on: February 13, 2018, 10:58:08 pm »
Another interesting thing is I can ping from the LAN IP but never can I get connected to or ping the systems in the LAN subnet.