Skip to content

pfSense or OPNsense on Azure?!

Published by Alexander Rismondo on 29. January 2024

Last updated on 20. December 2024

I recently gained access to a MPN azure subscription for my dev tenant, the MPN subscription grants me about ~€145 (150$) in Azure credits per month, but Azure standalone without any access to my on premise resources would be kind of boring, right?

So what were my options? A VPN Gateway? A Marketplace NVA? Well, these are pricey and would eat up my precious Azure credits very quickly on their own. PFSense and VyOS themselves are also available trough the Azure Marketplace, but only the subscription model versions. What can somebody do with limited Azure Credits?

pfSense Community Edition and Hyper-V to the Rescue!

Well, my low cost option, at least for now, is the pfSense Community Edition, on the lowest priced Azure Virtual Machine possible, a Standard_B2ats_v2. So the NVA would rougly cost me ~€11 of my credits per month.

But how do I get the VM up there? Well, the first step was obviously to download the latest AMD64 pfSense Community Edition, then I’ve activated the Hyper-V Role on my Windows Device and installed a pfSense on a local VM with a fixed vhd as disk.

The disk type is important, because dynamic vhdx isn’t yet supported by Azure.

I quickly configured my Azure VNET IPs as static inside the VM and also enabled the Serial Terminal option.

In the “Advanced Setup” are the very useful options regarding Serial Communication hidden, this enables Serial Console access trough the Azure Portal.

After the initial configuration was done, I uploaded the vhd via the Azure Storage Explorer to my subscription and created a VM out of the resulting Storage Disk.

In the resulting Network Interfaces, I enabled the IP forwarding option, so these interfaces can route traffic that is intended for other destinations.

For the WAN Interface, I assigned a Public IP and created a NSG that would allow my Public IP to access the Webinterface Port of the pfSense.

It was not working.

Well, I guess i borked something up in the IP configuration, but since I was wise enough to enable the Serial Console, i was able to change the configuration trough the Azure Portal.

The Azure VM Agent

Installing the Azure VM Agent, with my up and running Serial Console was quite trivial, I found a Post at the Netgate Forum, which basically boils down to cloning into the git repo and installing the lastest version from there.

On my VM I was missing not only git but also some libaries for python, even tho the standard python installation was present, nothing the FreeBSD package manager couldn’t fix.

I’m not going into the details of setting up a Site-to-Site IPSec Tunnel between my FortiGate and the pfSense VM here, just let me say, everything is working as expected, even with VTI and BGP configured.

But is it fast?

I really can’t complain, i chose the closest Azure region and via iperf3 tests the Site 2 Site Tunnel maxes out my current connection (250Mbit/50Mbit), for approx ~€11 a month I couldn’t be happier, especially since I now also have the option to configure OpenVPN in the pfSense box for a direct tunnel to my Azure lab environment..

Published inAzureNetwork

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *