pfSense firewall is a multifunctional software router-firewall based on the FreeBSD OS.
Key features: routing, including dynamic one, firewall protection, NAT, DHCP server, load balancing, VPN (including OpenVPN and L2TP), dDNS, PPPoE, IDS, and proxying.
Benefits
- Modular architecture.
- Own package manager.
- Built-in monitoring, logging, and reporting.
-
Get an SSH key pair to connect to a virtual machine (VM).
-
Create a VM from a public image. Under Image/boot disk selection, go to the Cloud Marketplace tab and select pfSense firewall. Under Access:
-
Enter
freebsdin the Username field.Warning
You cannot use the
adminusername and usernames other thanfreebsd. -
Paste the contents of the public SSH key file in the SSH key field.
Save the VM public IP address.
-
-
Connect to the VM over SSH. To do this, use the
freebsdusername and the private SSH key you created earlier. -
Upgrade privileges to
root:sudo bash -
Open the
root_passwordfile:ee /conf/root_password -
Copy the password. You will need it to access the web interface.
-
In the browser, go to
https://<VM_public_IP_address>/. -
To connect to the service, use the following parameters:
- Username:
Admin. - Password:
<Password_from_root_password_file>.
Change the password if needed.
- Username:
Instead of the standard freebsd username, you can specify a custom one when creating a VM:
-
Create a configuration file for the
cloud-initutility, such asconfig.yaml. -
Copy and add the following metadata to the file:
#cloud-config datasource: Ec2: strict_id: false system_info: distro: freebsd default_user: name: <username> ssh_authorized_keys: - <public_part_of_SSH_key> groups: [wheel] sudo: ["ALL=(ALL) NOPASSWD:ALL"] shell: /usr/local/bin/bash network: renderers: ['freebsd'] bootcmd: - rmuser -y freebsdWhere:
name: Username.ssh_authorized_keys: Contents of the public SSH key file.
In FreeBSD,
bashis stored in/usr/local/bin/. -
Create a VM using the CLI and provide the user metada:
yc compute instance create \ --name <VM_name> \ --zone <availability_zone> \ --network-interface subnet-name=<subnet_name>,nat-ip-version=ipv4 \ --create-boot-disk name=disk1,size=20,image-id=fd8t7dhq1pt5gidofilh \ --metadata-from-file <config.yaml_file_path>Where:
name: VM name.zone: Availability zone.subnet-name: Subnet name.image-id: FreeBSD image ID.metadata-from-file: Path to the metadata file with user settings.
You can also use cloud-init to manage user SSH keys, create multiple users, and install software packages.
Sample cloud-init configuration file for managing user SSH keys:
#cloud-config
datasource:
Ec2:
strict_id: false
users:
- gecos: freebsd
name: freebsd
ssh_authorized_keys:
- <public_part_of_SSH_key>
sudo: ALL=(ALL) NOPASSWD:ALL
groups: [wheel, sudo]
Where ssh_authorized_keys stands for the contents of the public SSH key file.
Sample cloud-init configuration file for creating multiple users and installing software packages:
#cloud-config
datasource:
Ec2:
strict_id: false
users:
- gecos: <user_details>
name: <username>
ssh_authorized_keys:
- <public_part_of_SSH_key>
sudo: ALL=(ALL) NOPASSWD:ALL
groups: [wheel, sudo]
- gecos: <user_details>
name: <username>
ssh_authorized_keys:
- <public_part_of_SSH_key>
sudo: ALL=(ALL) NOPASSWD:ALL
groups: [wheel, sudo]
packages:
- curl
- py39-pip
package_update: true
package_upgrade: false
Where:
gecos: Information about the user.name: Username.ssh_authorized_keys: Contents of the public SSH key file for each user.packages: List of software packages to be installed.
- Creating VPN connections between physical and cloud resources.
- Protecting sites and applications.
- Translating addresses.
- Filtering traffic.
- Routing on the internet.
OpenNix
OpenNix provides technical support to pfSense firewall users in Yandex Cloud. You can contact their technical support by email at support@opennix.ru. Support engineers are available on business days from 9 am to 6 pm GMT+3.
Yandex Cloud
Yandex Cloud does not provide technical support for this product. If you have any issues, please refer to the respective developer’s information resources.