One important aspect of cloud deployments that often get overlooked, especially at start ups is the aspect of security. So I thought I would take some time to go through the process of setting up a NAT instance on AWS with full firewall capabilities. There are instructions and documentation for this process which are very good but aren’t completely clear so I will attempt to fill in some of the gaps I ran in to when attempting to set this up myself.
There is one thing to take note of if you have used pfSense before. This firewall isn’t free. There is a slight hourly charge for this that ends up coming out to about $500/yr (which comes out to about $42/month). If you look at other commercial solutions with similar functionality you are looking at thousands of dollars per month in costs. Long story short, the cloud images of pfSense has a tiny tiny cost associated with it but is very much worth it.
Just for reference I put together a few comparison prices.
- Barracuda web app firewall – ($1.04-1.76/hr) (up to ~$1300/month)
- Vyatta ($0.30-1.50/hr) (up to ~$1100/month)
- Sophos UTM ($0.35-$2.80/hr) (up to ~$2000/month)
- pfSense ($0.07/hr) ($42/month)
As you can see, pfSense is very reasonable compared to some of the other bigger players. You can build an r3.8xlarge instance and the software price won’t change which doesn’t seem to be the case with others. One bonus to choosing pfSense is that you automatically qualify for support by agreeing to the ToS when getting the pfSense AMI set up.
Finally, pfSense is rock solid being built on top BSD and is thoroughly tested. I have been running pfSense on other projects outside of AWS for 5+ years and have never had an issue with it outside of a dead hard drive one time. Other added benefits of choosing pfSense are that updates are frequent and thoroughly tested, tons of add-ons including IPS’s and VPN’s so additional functionality can be built on top and great community support as well.
Getting started
There are a few good resources that I found to be useful when working through this problem, which got me most of the way to a working setup. They are listed below.
And here is the link to my question about how to do this on serverfault, there is some good detail in the post over there.
Setting up the NAT in pfSense
The first issue that was confusing was the issue of getting the network interfaces set up and configured. For this setup you will need two interfaces, preferably with static IP addresses. You will also need to make sure that you disable source/destination checks for the interface that will be acting as the LAN interface that the nat goes through. Disabling source and destination checks is pretty straightforward and is detailed in pretty much all of the guides.
You should note that there will be tabs for firewalling for LAN as well as WAN, if you can keep these two straight it should be much easier to troubleshoot and configure your pfSense machine. Out of the box, the firewall on pfSense will not be configured to allow your LAN interface to do any sort of NATing, you will need to manually create rules to get started. If you check the WAN firewall tab you should notice some access rules but the LAN tab should be empty. Most of the work we will be doing will be on the LAN firewall.
The first rule to set up to make things easier to troubleshoot is a ping rule. There is a WAN rule for ping but not for LAN. You can essentially copy the WAN rule into a new one and modify it to look similar to the following.
This rule will work for the template for the other rules that need to be put in to place. The other rules will be for outbound web access. Just copy this rule in to a new rule and change the protcol to TCP and make one rule that allows port 80 and another that allows 443. The resulting should look similar to what I have listed below.
Just a quick note. If at any point you are having trouble seeing traffic or are getting stuck in your troubleshooting, an excellent way to figure out what is going on is the logging that is provided by pfSense. You can access all of the various logs to see what is happening by selecting Status -> System Logs and the highlighting the firewall tab.
Modifying your outbound nat
Here is what your outbound NAT rule should look like.
Notice the “Networks_to_NAT” value in the source section. This is a pfSense alias that can be used as a sort of variable to help ease management. You can either use this alias or specify the local subnet you want to use here. To check the values in your alias you can go to Firewall -> Aliases.
Conclusion
This setup will provide you with a nice easy way to manage your network in AWS. The guides for setting up a NAT are nice and are a good first step but with a Firewall in place you can do so many other things, especially auditing that just aren’t available or viable with a straight AWS nat instance or that are way out of your price range with some of the other commercial solutions available.
pfSense also provides the capability to add more advanced tools like IDS/IPS, VPN and high availability if you choose so there is nice room for expansion. Even if you don’t take advantage of all of the additional components of pfSense you will still have a rock solid firewall and nat instance that is suitable for production workloads at a fraction of the cost of other commercial solutions.