Pfsense as a NAT Gateway

Use the instructions below to work with Private Node groups through Pfsense

Prerequisites

To be able to use Pfsense as NAT Gateway for Cluster on VKS system, you need:

  • A Pfsense server (VM) is initialized on the vMarketPlace system according to the instructions below with the following configuration:

Item

Configuration

Flavor

2x4

Volume

80 GB

VPC

10.3.0.0/16

Network Interface 1

10.3.0.3


Initialize Pfsense

Step 1: Visit https://marketplace.console.vngcloud.vn/

Step 2: At the main screen, search for Pfsense , at Pfsense service , select Launch .

Step 3: Now, you need to configure Pfsense. Specifically, you can select the desired Volume, IOPS, Network, Security Group . You need to choose the same VPC and Subnet as the VPC and Subnet you choose to use for your Cluster. In addition, you also need to select an existing Server Group or select Dedicated SOFT ANTI AFFINITY group so we can automatically create a new server group.

Step 4: Proceed to pay like normal resources on VNG Cloud.


Configure parameters for Pfsense

Step 1: After initializing Pfsense from vMarketPlace according to the instructions above, you can access the vServer interface here to check whether the server running Pfsense has been initialized. Next, open the Any rule on the Security Group for the Pfsense server you just created. Opening the Any rule on the Security Group will allow all traffic to the Pfsense server.

Step 2: After the server running Pfsense is successfully initialized . To access the Pfsense GUI, you need to use the IP address of the External Interface to log in with the default Username and password admin/pfsense.

  • To get this IP information, go to the Network Interface section of Pfsense to view the information

Step 3 : Open the rule on the firewall

  • Proceed to Add rule

  • You can open the rule as below to access the GUI using External Interface .

Attention:

  • You should limit the IP Range allowed to connect to the Pfsense GUI to limit users allowed to access the Pfsense GUI.

  • Select Save

  • Then select Apply changes

Step 4 : Proceed with General Setup , please do as below

  • Configure WAN Interface

  • Change password in GUI

  • Proceed to reload

  • General Setup completed

Step 5: Configure LAN Interface

  • Go to Interfaces -> Assignments to add a LAN Interface

  • Click Add

  • Then click Save

  • Go to Interfaces -> Assignments to enable LAN Interface

  • You make the configuration as below

  • Configure IP for LAN

  • Then proceed to Add a new gateway: enter Gateway for LAN Interface

  • To get this IP information, go to the Network Interface section of the Pfsense server to view the information:

  • Proceed to Save again

Step 6 : Review configuration information

Step 7 : Open the Internet outbound rule for the LAN interface

  • At source, select the IP range that is allowed to go out to the Internet

Step 8: Configure NAT so that vServers can go out to the Internet

  • Go to Firewall -> NAT

  • Select NAT mode then proceed to configure NAT

  • Click Add to add the rule

  • Select source , destination NAT


Initialize Route Table

After Pfsense is successfully initialized and configured, you need to create a Route table to connect to different networks. Specifically, follow these steps to create a Route table:

Step 1: Visit https://hcm-3.console.vngcloud.vn/vserver/network/route-table

Step 2: In the navigation menu bar, select Network Tab/ Route table.

Step 3: Select Create Route table.

Step 4: Enter a descriptive name for the Route table. Route table names can include letters (az, AZ, 0-9, '_', '-'). The input data length is between 5 and 50. It must not include leading or trailing spaces.

Step 5: Select VPC for your Route table. If you do not have a VPC, you need to create a new VPC according to the instructions on the VPC Page . The VPC used to set up the Route table must be the VPC selected for your Pfsense and Cluster.

Step 6 : Select Create to create a new Route table.

Step 7: Select the newly created Route table then select Edit Routes.

Step 8: In the add new Route section , enter the following information:

  • For Destination, enter Destination CIDR as 0.0.0.0/0

  • For Target, enter Target CIDR as the Pfsense Network Interface 2 IP address.

For example:


Checking connection

Proceed to ping google.com or 8.8.8.8 to check

  • Before Enable NAT the server could not access the internet

  • After configuring NAT, ping 8.8.8.8 to check

Last updated