pfSense 2.1 on AWS EC2

We now have pfSense 2.1 available on Amazon’s Elastic Compute Cloud (EC2).

Finally.

All instances are currently 64-bit, and thus require HVM.  As such, the EC2 types which are supported are somewhat limited.

Currently there are two versions.   There is a pfSense Certified release available in the AWS Marketplace.  You can find it here: Netgate pfSense Certified Router/Firewall/VPN

Its AMI ID is ami-6821b858

In keeping with the community spirit, we’re also offering a free “public” AMI. For marketplace AMIs, AWS does all the copying for you. For AMIs that you share with the community, you have to do it yourself.  In order to make the public images available we had to create an instance in each region, copy the image over to the instance, write the image onto a disk and then detach the root disk and attach the image disk and build an AMI from it.

US East (N. Virginia) – ami-11a58278
US West (Oregon) – ami-3430ab04
US West (N. California) – ami-0c417049
EU (Ireland) – ami-b69874c1
Asia Pacific (Singapore) – ami-9c1541ce
Asia Pacific (Tokyo) – ami-1f0e681e
Asia Pacific (Sydney) – ami-6fdf4055
South America (Brasil) – ami-cb13b5d6

To use these:

  1. Look in the list above and find the correct AMI number for the EC2 region you want to launch the EC2 instance into.
  2. Launch the EC2 instance.

Check the FAQ and User Guide for additional details.

Enjoy!

 

Share this Post:

37 Responses to “pfSense 2.1 on AWS EC2”

  1. Bernis Says:

    Thank you for this, I was planing to get some kind of a load balancer or proxy thingy on EC2 and this made it much easier

  2. Nimamhd Says:

    Congratulations, really well done team.

  3. Jeff L. Says:

    I want to thank the development team for creating the AMI. pfSense will drastically simplify the connections of AWS VPCs to data centers. I expect that this AMI will be very popular.

  4. Simon Vass Says:

    Not seeing those free “public” AMI’s listed above? Any issues?

  5. Bridging the Gap | BSD Now 13 | Jupiter Broadcasting Says:

    […] pfSense 2.1 on AWS EC2 […]

  6. Mike W Says:

    Also unable to find the free AMI’s.

  7. Jared Dillard Says:

    You will need to launch an EC2 instance from the dashboard and then search the Community AMIs for pfSense in order to see them.

  8. Mike P Says:

    Any reason why the instance types are so huge? Would you consider putting up i386 version so we could run it on smaller instances?

  9. Jim Thompson Says:

    they’re what Amazon will let us run.

    We made 32-bit (i386) PVM AMIs, and they suffered the same restriction.

  10. Heitor Says:

    I’ve managed to make it work even with m1.small, but it requires some static changes on the image itself.

    I will contact NetGate to see if I can make them available to everyone, so you don’t need to stick with a huge instance type just to get pfSense to work, and then I post the images ID here as soon as I can store them somewhere.

  11. Douglas Green Says:

    Have the public AMIs been updated or removed? I cannot locate them in the marketplace no matter which way I search for them.

  12. Chris Says:

    SOOOO psyched when i saw this but i cannot for the life of me get it working. i have been using pfsense for probably 6 years and setup a dozen or so, but in AWS it is causing me much pain. I have tried single interface but VLans don’t work, so i set it up with 2 NIC’s and have checked my security a billion times. i can hit the LAN NIC from the private network, but nothing is getting out to the other side. i have my outbound LAN rule setup, NAT looks good. making me crazy. This is EXACTLY what we need right now and i’ve been screwing with it for days. Anything dumb i’m missing?? Using dhcp on both interfaces and they’re showing as good and show proper .1 gateways, security i even set as wide open on both interfaces just to see and no dice. i can ssh to the device and ping google, but when i ping google from private network it just dies. i have my VPC routes setup correctly on my private network to point at the private NIC on the pfsense. aaahhhh!!!! any help appreciated. lol. Thanks.

  13. Jared Dillard Says:

    Chris: Your best bet for help is to post to https://forum.pfsense.org/

  14. Matt Smith Says:

    Chris:

    You need to disable the source/destination check on the LAN interface on the pfSense instance. Under the EC2 management console, go to the Instances view, select your pfSense instance and look under the Description tab at the Network Interfaces heading. Click on the name of the LAN interface (probably eth1) and see what it says for the “Interface ID” field in the box that pops up. Should be something like “eni-some_hex_digits”. Go to the Network Interfaces view (still under EC2 management console) and find the interface with that ID. Check the box next to it and click on Actions. Select the action Change Source/Dest Check. Change the radio button from Enabled to Disabled. You should start seeing traffic come in to the LAN interface.

  15. Sam S Says:

    Im feeling quite stupid here but I can’t seem to find the public AMIs either, at least not in EU-West. There is the Official Certified version but not the public ones.

    Any idea whether they could be reinstated?

  16. Matt Smith Says:

    For people having trouble finding the community AMIs, the general procedure is to click on “Launch on Instance” in the EC2 Management Console. There should be several tabs available on the next screen: Quick Start, My AMIs, AWS Marketplace, Community AMIs. You want to select Community AMIs and then use the search box there.

    The public AMI ID listed for the EU is incorrect in the original post. The actual AMI ID to search for in the EU region is ami-b69874c1. All of the other AMI IDs appear to be valid if searched for as described above.

  17. Chris Buechler Says:

    Thanks Matt. I updated the AMI ID that was incorrect in the original post.

  18. Anushan R Says:

    What is the auto update link for these?

    It looks like the auto update for the EC2 is gone….

  19. Matthew Fisch Says:

    I’m deploying this into a lab scenario which is populated by promotional AWS credits, NFRs and demo licensing during the development cycle of a project Im working on.

    The free public AMI seems to run on actual windows instances and get billed at AWS rates which include windows licensing, while the netgate edition published in the marketplace correctly bills Linux/UNIX rates for the EC2 instance. I assume both versions use HVM or FreeBSD wouldn’t run.

    While I feel there’s probably some fiddling I can do to fix this with API calls and a relaunch (maybe there’s no way to force HVM on Linux/UNIX?) I can’t help but think the AMIs should be fixed.

    Thanks for any thoughts!

  20. Matt Smith Says:

    Anushan,

    There is no auto update link that is appropriate to be used with the EC2 image. When a new software release is available, an updated AMI will be released.

  21. Jim Thompson Says:

    Matthew,

    You are correct that both the public and paid versions of the pfSense images run in HVM mode. There isn’t likely to be any twiddling that you can do with API calls to change the usage rates you are charged for the public image (though if you manage to succeed, I’d love to hear about it). For the smaller instance sizes, the thing that determines whether your instance is “Windows” or “Linux” seems to be whether it runs in HVM or PV mode. AWS is able to make a distinction for the larger instance sizes offered through the marketplace, but for the smaller instances, the theory is that their licensing agreement with Microsoft is based on them paying for Windows licenses for all HVM instances.

  22. Jim Thompson Says:

    We’ll build a 2.1.1 after it is released.

  23. Matthew Fisch Says:

    That all makes sense, except in AWS Marketplace the appliance shows itemized pricing (netgate + ec2) where the ec2 pricing is linux (not higher windows rate) and os is listed as linux/unix.

    When I get more time I’ll probably build some up of each and see what happens.

    Thanks for taking time to respond I’ll let you know if I discover anything new.

  24. Matthew Fisch Says:

    For those interested, AWS recently opened the API to allow anyone to create HVM AMI’s without Microsoft tax:

    http://www.daemonology.net/blog/2014-02-16-FreeBSD-EC2-build.html

    Until end of 2013 or so, it was not possible to create an HVM Linux AMI without explicit help and approval from AWS.

    I saw the API hooks a few days ago — but at the time didn’t realize they were new.

    Good news for everyone here I suppose.

  25. Jim Thompson Says:

    That’s very interesting Matthew. We’ll look into it.

    Thanks!

  26. Joshua C. Forest Says:

    Any movement on a new AMI to fix the heartbleed bug? I tried installing the upgrade on a live system and it came back not recognizing our interfaces, and so, never fully boots :(

  27. Jim Thompson Says:

    Amazon has them, but hasn’t put them in-place, yet.

  28. Valentin Says:

    I saw that ami-dcd0a5ec is available, at least in the Oregon region, and per details it looks like it’s the 2.1.2 version. Can anyone else confirm?

  29. Nevins Says:

    Are there no free/community AMIs anymore? When attempting to launch one we see we now have to subscribe to the marketplace and the old AMIs no longer exist.

  30. Brent Boecking Says:

    Same problem here. I cannot find the community versions of the AMIs. I am searching just as posted above. Thanks.

  31. Nevins Says:

    Looks like it. We had to bring up a new instance based of an AMI of an existing instance we had running. No update to 2.12 available though.

  32. Brent Boecking Says:

    If somebody could give me an instance id for one of the community versions (that I can actually find) in the N. Virginia region, I would really appreciate it.

  33. Deepak A Says:

    Hi,

    under Community AMIs if I key in: Netgate
    I see 2 AMIs.

    1. Netgate pfSense – Stage – ami-0f14e978; Netgate pfSense – Stage

    2. Netgate pfSense Certified 2.1.2-d80da0a7-a53a-4c15-bec6-a3e647fb7f74-ami-228d684a.2 – ami-77a56100; Netgate pfSense Certified 2.1.2

    The 2nd AMI (ami-77a56100) is not free. I was pointed to the market place and agree to the pricing shown there.

    Can some one point to the AMI that is free to deploy?

  34. Jim Thompson Says:

    The ‘free’ AMIs are gone. We dropped the price on the remaining AMIs.
    By paying for the AMI, you help support the project.

  35. Roman Says:

    Yes, but price is pretty high.
    Instance itself cost 0.026$, while software cost 0.07$ (triple) ….
    In total of 0.096*24*31 = 71$ … for this price you may found DEDICATED server with x2 1G unlimited bandwidth, 4 core xeon 32 ram etc … and this will cost near 65$!
    And install free pFsense on it

    If price was near 0.035 or less – then it fair, i think

  36. Malik Says:

    Hi All, i have managed to start pfsense on aws ec2 for testing, i am new to pfsense :)
    after launching the instance i can get into it via ssh but when i try to browse it via https i dont get anything, is there any trick as ec2 instance is using private ip and i cannot reach it through my public ip provided by ec2…. Please help do i need to change the ip in pfsense by selecting option no 2 and give it a public ip or so ?
    advice please

  37. Malik Says:

    No worries i figured it out . every time i restart my instance in have to reset web configuration ….
    OPEN VPN works on aws ec2 but clients traffic doesnt go through tunnel .. any idea ???

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply