Please read "the black text" as the steps
Please read "the blue text" as the definition
Please read "the red text for the Ansible playbook code" <--- all the way at the bottomit will point you in the right direction. If you need help the Ansible website documentation is awesome.
Step 1.) create an Elastic IP:
An elastic IP is a Public IP address that allows you to map all traffic to a Permanent instance/network card/ or service.
Go to the VPC dashboard and look on the left. You will see Elastic IP. Click and allocate a New Address.
Step 2.) Create a VPC using VPC wizard:
Select ----> VPC -----> click the Start VPC Wizard ------> on the left select VPC with Public and Private Subnets...
Now put your entries in like this (keep in mind that you need to know CIDR rules if you want to change the IP schema):
CIDR is known for the short hand when dealing with subnets. Nobody likes writing 255.255.255.0 when they can simply type /24..... I encourage you to look that up if you need further assistance. However knowing this is not a long term necessity to create a working pfSense vm/EC2.
Once you have filled out the information above, click create VPC
Step 3.) Is the fun part, you only need to go to the EC2 dashboard and add a pfsense AMI from the correct region, I like Oregon a lot so I used AMI-fd6a58cd . I chose the free tier as I like to keep my budgets low. If I need to increase more power I can simply create a snapshot and later on launch it with more powerful specs. However I will be choosing the free tier
Step 4.) Because you need to attach both a WAN and a LAN with a "physical connection" avoid non-solicited traffic.
For the top subnet be sure to select the pfSenseWAN and for the bottom subnet be sure to select the pfSenseLAN.
I apologize but sensitive information is to the left and I dont't have any tools to grey it out.
Step 5.) Make sure you add an extra Network Interface.
Step 6.) Now add a few ports for your security group, or if you want...... you can even set it to all traffic. Since we are operating as a passive.
Which means I don't want to add rules in two places because I am lazy, or I have my security job and I see that I need 2 levels of security. I will be adding the following ports:
Now click launch and you will be directed to the EC2 Dashboard.
Step 7.) select the pfSense EC2 and browse for eth0...
Make a note of the ENI (Elastic Network Interface) try to remember the last 4 characters.
eni-********
Step 8.) Go to the NAT Gateways while your sill in the VPC Dashboard and Delete the instance there.
Please remember to wait for 6 minutes while everything propagates.
Step 9.) Now visit the VPC dashboard
Look on the left and select Elastic IPs and Associate / attach to the ENI... you wrote down earlier
Step 10.) Take a break and wait for 10 minutes.
Step 11.) Go back to the Amazon EC2 Dashboard and note your Elastic IP and go to a web browser (I love Google Chrome and Firefox, but Safari is the my preference)and type this:
https://your_elastic_ip_goes_here
Step 12.) Locate the username and password by going into SSH and changing the username and password there...
type into terminal like this:
ssh -i pfSenseFirewall.pem root@###.###.###.#### <--- your elastic IP goes here
now change the password: select option 3
Step 13.) login with these credentials:
Username: admin
Password: password
Change your password and...
Step 14.) Enjoy!!!
Step 15.) I recommend creating an image for the EC2 before you start work and after you finish the final product.
Ansible playbook for creating a VPC with both a private and Public Subnet is here:
Just save the file as vpc_private_and_public.yml
ec2_vpc: state: present cidr_block: 172.17.0.0/16 resource_tags: { "Environment":"pfSenseBlock" } subnets: - cidr: 172.17.250.0/24 az: us-west-2c resource_tags: { "Name":"pfSenseWAN", "Purpose" : "Firewall" } - cidr: 172.17.255.0/24 az: us-west-2b resource_tags: { "Name":"pfSenseLAN", "Purpose" : "LAN" } internet_gateway: True route_tables: - subnets: - 172.17.250.0/24 - 172.17.255.0/24 routes: - dest: 0.0.0.0/0 gw: igw - subnets: - 172.22.1.0/24 routes: - dest: 0.0.0.0/0 gw: igw region: us-west-2 register: vpc
Now you want to spawn an Instance for pfSense and place it into the correct VPC with the correct ENI
Ansible playbook should be named properly also keep in mind this works well with hvm ec2 instances outside of pfSense: This will spawn an instance in Oregon
Spawn_pfSense.yml
Now we need to spawn the instance with 2 adapters
# Halfway through I want to get information about the instance, however there is a wait time, so I need to put in two things
# So I noticed that my last EC2 took 15 minutes from start to finish so I wait for 15 minutes before starting the next play
- pause: minutes=15
- pause: prompt="15 minutes has passed now loading the next steps"
- name: get that information about the ec2 instance
ec2_facts:
- debug: var=ansible_ec2_instance_id
- pause: prompt="please note the instance id"
# you will get your instance id here and now you can attach the ENI to the EC2 instance
# Create an EC2 instance and attach it to an ENI
# Create an ENI - ec2_eni: private_ip_address: 172.17.250.154 subnet_id: subnet-xxxxxxxx state: present
# Get the information about the ENI and the Instance after creation
- ec2_eni_facts:
Hook_pfSense_to_elastic_ip.yml
The below sample below will allow you to view the elastic ip since that may be unknown at some point, then it will attach it to an elastic network interface (eni)
- name: associate an elastic IP with a device ec2_eip: device_id=eni-c8ad70f3 ip=93.184.216.119
register: eip
- name: output the IP debug: msg="Allocated IP is {{ eip.public_ip }}"
I recently made a better discovery and it would be smarter to create the Elastic Network Interface(s) first....
Then attach it to your instance ID:
So try this:
# attach an ENI from an instance - ec2_eni: eni_id: eni-xxxxxxx instance_id: i-xxxxxxx
security_groups: sg-xxxxxx state: present
