For the longest time I was under the assumption a router in an AWS VPC could only have one NIC. Writing IPtables/firewall rules for one interface can be tedious!!! However, I have discovered how to setup OPSense in an AWS VPC with multiple NICs. That is right, you will have a WAN NIC(public subnet) and a NIC for each private subnet.

Create AWS VPC

1. Login into AWS console
2. Select “VPC” from the list of AWS services
3. Select “Elastic IPs” on the left
4. Select “Allocate new address” and select “Allocate”
5. Select “VPC Dashboard” in top left
6. Select “Start VPC wizard”
7. Select” VPC with Public and Private subnets” for VPC configuration
8. VPC with public and private subnets
   1. Enter “172.21.0.0/16” for IPv4 CIDR block
   2. Select “No IPv6 CIDR block” for IPv6 CIDR block
   3. Enter a name for VPC name
   4. Enter “172.21.100.0/24” for public subnet IPv4 CIDR
   5. Select a an AWS region for availability zone
   6. Enter “<VPC name from above>_public_subnet”
   7. Enter “172.21.101.0/24” for private subnet IPv4 CIDR
   8. Select same AWS region as above
   9. Enter “<VPC name from above>_private_subnet”
   10. Select elastic IP from above
9. Select “Create VPC”
   1. This will take about 5-10mins so be patient

Create AWS OPNsense instance

Create instance

1. Select “EC2” from AWS services
2. Select “Launch instance”
3. Select “Community AMIs” on the left
4. Enter “opnsense” into search
5. Select “OPNsense-20150708.beta3″
6. Select “t2.small” for instance type
7. Configuration instance details
   1. Select “test” VPC for network
   2. Select “test_public_subnet” for subnet
   3. Network interface
      1. Enter “172.21.100.254” for primary IP address under “Network interfaces”
   4. Select “Add device” under network interface
      1. Select “test_private_subnet” for subnet
      2. Enter “172.21.101.254” for IP address
8. Add storage
   1. Set hdd size to 40GBs
9. Add tags
   1. Select “Add tag”
   2. Enter “Name” for key
   3. Enter “opnsense” for value
10. Security group
    1. Enter “test_router_sg”
    2. Allow ALL traffic(ONLY DEVELOPMENT)
       1. I am being lazy to create a post.
       2. You will need to allow port 80,443,22 if you want a more secure setup
11. Select “Launch

Setup Elastic IP for instance and networking

1. Select “Network interfaces” on the left
   1. Search for “172.21.100.254”
   2. Copy the Network interface ID
   3. Search for “172.21.101.254”
      1. Select network interface
      2. Select “Action” then “Change source/dest. check”
      3. Select “Disable”
      4. Select “save”
2. Select “Elastic IPs” on the left
3. Select “Allocate new address” and select “Allocate”
4. Select new Elastic IP, select “Action” then “Associate address”
   1. Select “Network interface” for resource type
   2. Paste Network interface ID from above
   3. Select “172.21.100.254” from Private IP
   4. Select “Associate”

Setup/Configure VPC routing tables

1. Select “EC2” from AWS services
2. Select “network interfaces”
3. Search for “172.21.101.254”
4. Copy network interface ID
5. Select “VPC” from AWS services
6. Select “Your VPCs” on the left and select “test” VPC
7. Select “rtb-xxxxxx” for routing table
8. Select routing table and select “routes” tab
9. Select “edit”
   1. Enter “<network interface ID above>” in the target box for “0.0.0.0/0”
   2. Select “Save”

 

Setup AWS OPNsense instance

1. Browse to “https://<Elastic IP of OPNSense>” and login
   1. Enter “root” for username
   2. Enter “opnsense” for password

Change root password

1. Select “User” on the left then “Change password”
2. Enter new password and select “Save”

Setup LAN interface

1. Select “Interfaces” on the left then select “Assign”
2. Select “+” and this will add the LAN interface. Should look like photo below.
3. Select “LAN”
   1. Select “Enable interface”
   2. Select “Static IPv4” for IPv4 configuration type
   3. Enter “172.21.101.254” for IPv4 Address and set subnet to “/24”
   4. Select “Save” and “Apply changes”

Change some settings opnsense

1. Select “System” on the left and select “Settings”
2. Enter “<hostname>” for hostname
3. Enter “<domain>” for domain
4. Enter DNS server IP addresses under DNS servers
5. Select “<time zone>” for time zone
6. Select “Save”

Create instance in VPC

1. Select “EC2” from AWS services
2. Select “Launch instance”
3. Select “Ubuntu Server 16.04 LTS”
   1. You can select whatever you want but I will use Ubuntu 🙂
4. Instance type
   1. Select “t2.micro”
5. Configuration instance details
   1. Select “test” VPC for network
   2. Select “test_private_subnet” for subnet 
6. Storage
   1. Accept default
7. Add tags
   1. Select “Add tag”
   2. Enter “Name” for Key
   3. Enter “test box” for value
8. Configure security group
   1. Allow all traffic(ONLY DEVELOPMENT)
   2. Please setup more restrictive ports for production
9. Select Launch

Setup/Configure OPNSense port forward to instance

1. Go to EC2 instances and select newly created “test box”
   1. Get the private IP for the instance
2. Login into OPNsense webgui
3. Select “Firewall” then “NAT”
4. Select “Port forward” tab at the top
5. Select “Add + ” in top right
   1. Select “WAN” for interface
   2. Select “TCP” for protocol
   3. Select “WAN address” for destination
   4. Enter “5000” for destination port range to and from
   5. Enter “<test box IP address from above>” for redirect target IP
   6. Enter “22” for redirect target port
   7. Enter “SSH port forward to test box” for description
   8. Select “Save” and “Apply changes”
6. ssh -i <private ssh key file> ubuntu@<Elastic IP of OPNSense> -p3000

Resources/Sources

• pfSense Netgear documentation