pfSense

pfSense firewall is a multifunctional software router-firewall based on the FreeBSD OS.

Key features: routing, including dynamic one, firewall protection, NAT, DHCP server, load balancing, VPN (including OpenVPN and L2TP), dDNS, PPPoE, IDS, and proxying.

Benefits

• Modular architecture.
• Own package manager.
• Built-in monitoring, logging, and reporting.
• A firewall, intrusion detection and prevention systems (IDS/IPS), antivirus.
• Integration with Security Onion, Wazuh etc.

1. Get an SSH key pair to connect to a virtual machine (VM).

2. Create a VM from a public image. Under Image/boot disk selection, go to the Cloud Marketplace tab and select pfSense firewall. Under Access:

   • Enter freebsd in the Username field.

     Warning

     You cannot use the admin username and usernames other than freebsd.

   • Paste the contents of the public SSH key file in the SSH key field.

   Save the VM public IP address.

3. Connect to the VM over SSH. To do this, use the freebsd username and the private SSH key you created earlier.

4. Upgrade privileges to root:

   sudo bash
   

5. Open the root_password file:

   ee /conf/root_password
   

6. Copy the password. You will need it to access the web interface.

7. In the browser, go to https://<VM_public_IP_address>/.

8. To connect to the service, use the following parameters:

   • Username: Admin.
   • Password: <Password_from_root_password_file>.

   Change the password if needed.

Instead of the standard freebsd username, you can specify a custom one when creating a VM:

1. Create a configuration file for the cloud-init utility, such as config.yaml.

2. Copy and add the following metadata to the file:

   #cloud-config
   datasource:
     Ec2:
       strict_id: false
   system_info:
     distro: freebsd
     default_user:
       name: <username>
       ssh_authorized_keys:
         - <public_part_of_SSH_key>
       groups: [wheel]
       sudo: ["ALL=(ALL) NOPASSWD:ALL"]
       shell: /usr/local/bin/bash
     network:
         renderers: ['freebsd']
   bootcmd:
     - rmuser -y freebsd
   

   Where:

   • name: Username.
   • ssh_authorized_keys: Contents of the public SSH key file.

   In FreeBSD, bash is stored in /usr/local/bin/.

3. Create a VM using the CLI and provide the user metada:

   yc compute instance create \
     --name <VM_name> \
     --zone <availability_zone> \
     --network-interface subnet-name=<subnet_name>,nat-ip-version=ipv4 \
     --create-boot-disk name=disk1,size=20,image-id=fd8t7dhq1pt5gidofilh \
     --metadata-from-file <config.yaml_file_path>
   

   Where:

   • name: VM name.
   • zone: Availability zone.
   • subnet-name: Subnet name.
   • image-id: FreeBSD image ID.
   • metadata-from-file: Path to the metadata file with user settings.

You can also use cloud-init to manage user SSH keys, create multiple users, and install software packages.

Sample cloud-init configuration file for managing user SSH keys:

#cloud-config
datasource:
  Ec2:
    strict_id: false
users:
  - gecos: freebsd
    name: freebsd
    ssh_authorized_keys:
      - <public_part_of_SSH_key>
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: [wheel, sudo]

Where ssh_authorized_keys stands for the contents of the public SSH key file.

Sample cloud-init configuration file for creating multiple users and installing software packages:

#cloud-config
datasource:
  Ec2:
    strict_id: false
users:
  - gecos: <user_details>
    name: <username>
    ssh_authorized_keys:
      - <public_part_of_SSH_key>
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: [wheel, sudo]
  - gecos: <user_details>
    name: <username>
    ssh_authorized_keys:
      - <public_part_of_SSH_key>
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: [wheel, sudo]
packages:
  - curl
  - py39-pip
package_update: true
package_upgrade: false

Where:

• gecos: Information about the user.
• name: Username.
• ssh_authorized_keys: Contents of the public SSH key file for each user.
• packages: List of software packages to be installed.

• Creating VPN connections between physical and cloud resources.
• Protecting sites and applications.
• Translating addresses.
• Filtering traffic.
• Routing on the internet.
• Intrusion detection (IDS/IPS).
• Traffic monitoring.
• Dynamic routing.

OpenNix
OpenNix provides technical support to pfSense firewall users in Yandex Cloud. You can contact their technical support by email at support@opennix.ru. Support engineers are available on business days from 9 am to 6 pm GMT+3.

Yandex Cloud
Yandex Cloud does not provide technical support for this product. If you have any issues, please refer to the respective developer’s information resources.