pfSense 2.1 on AWS EC2

November 21st, 2013 by Jim Thompson

We now have pfSense 2.1 available on Amazon’s Elastic Compute Cloud (EC2).

Finally.

All instances are currently 64-bit, and thus require HVM.  As such, the EC2 types which are supported are somewhat limited.

Currently there are two versions.   There is a pfSense Certified release available in the AWS Marketplace.  You can find it here: Netgate pfSense Certified Router/Firewall/VPN

Its AMI ID is ami-6821b858

In keeping with the community spirit, we’re also offering a free “public” AMI. For marketplace AMIs, AWS does all the copying for you. For AMIs that you share with the community, you have to do it yourself.  In order to make the public images available we had to create an instance in each region, copy the image over to the instance, write the image onto a disk and then detach the root disk and attach the image disk and build an AMI from it.

US East (N. Virginia) - ami-11a58278
US West (Oregon) - ami-3430ab04
US West (N. California) - ami-0c417049
EU (Ireland) - ami-b69874c1
Asia Pacific (Singapore) - ami-9c1541ce
Asia Pacific (Tokyo) - ami-1f0e681e
Asia Pacific (Sydney) - ami-6fdf4055
South America (Brasil) - ami-cb13b5d6

To use these:

  1. Look in the list above and find the correct AMI number for the EC2 region you want to launch the EC2 instance into.
  2. Launch the EC2 instance.

Check the FAQ and User Guide for additional details.

Enjoy!

 

27 Responses to “pfSense 2.1 on AWS EC2”

  1. Bernis Says:

    Thank you for this, I was planing to get some kind of a load balancer or proxy thingy on EC2 and this made it much easier

  2. Nimamhd Says:

    Congratulations, really well done team.

  3. Jeff L. Says:

    I want to thank the development team for creating the AMI. pfSense will drastically simplify the connections of AWS VPCs to data centers. I expect that this AMI will be very popular.

  4. Simon Vass Says:

    Not seeing those free “public” AMI’s listed above? Any issues?

  5. Bridging the Gap | BSD Now 13 | Jupiter Broadcasting Says:

    […] pfSense 2.1 on AWS EC2 […]

  6. Mike W Says:

    Also unable to find the free AMI’s.

  7. Jared Dillard Says:

    You will need to launch an EC2 instance from the dashboard and then search the Community AMIs for pfSense in order to see them.

  8. Mike P Says:

    Any reason why the instance types are so huge? Would you consider putting up i386 version so we could run it on smaller instances?

  9. Jim Thompson Says:

    they’re what Amazon will let us run.

    We made 32-bit (i386) PVM AMIs, and they suffered the same restriction.

  10. Heitor Says:

    I’ve managed to make it work even with m1.small, but it requires some static changes on the image itself.

    I will contact NetGate to see if I can make them available to everyone, so you don’t need to stick with a huge instance type just to get pfSense to work, and then I post the images ID here as soon as I can store them somewhere.

  11. Douglas Green Says:

    Have the public AMIs been updated or removed? I cannot locate them in the marketplace no matter which way I search for them.

  12. Chris Says:

    SOOOO psyched when i saw this but i cannot for the life of me get it working. i have been using pfsense for probably 6 years and setup a dozen or so, but in AWS it is causing me much pain. I have tried single interface but VLans don’t work, so i set it up with 2 NIC’s and have checked my security a billion times. i can hit the LAN NIC from the private network, but nothing is getting out to the other side. i have my outbound LAN rule setup, NAT looks good. making me crazy. This is EXACTLY what we need right now and i’ve been screwing with it for days. Anything dumb i’m missing?? Using dhcp on both interfaces and they’re showing as good and show proper .1 gateways, security i even set as wide open on both interfaces just to see and no dice. i can ssh to the device and ping google, but when i ping google from private network it just dies. i have my VPC routes setup correctly on my private network to point at the private NIC on the pfsense. aaahhhh!!!! any help appreciated. lol. Thanks.

  13. Jared Dillard Says:

    Chris: Your best bet for help is to post to https://forum.pfsense.org/

  14. Matt Smith Says:

    Chris:

    You need to disable the source/destination check on the LAN interface on the pfSense instance. Under the EC2 management console, go to the Instances view, select your pfSense instance and look under the Description tab at the Network Interfaces heading. Click on the name of the LAN interface (probably eth1) and see what it says for the “Interface ID” field in the box that pops up. Should be something like “eni-some_hex_digits”. Go to the Network Interfaces view (still under EC2 management console) and find the interface with that ID. Check the box next to it and click on Actions. Select the action Change Source/Dest Check. Change the radio button from Enabled to Disabled. You should start seeing traffic come in to the LAN interface.

  15. Sam S Says:

    Im feeling quite stupid here but I can’t seem to find the public AMIs either, at least not in EU-West. There is the Official Certified version but not the public ones.

    Any idea whether they could be reinstated?

  16. Matt Smith Says:

    For people having trouble finding the community AMIs, the general procedure is to click on “Launch on Instance” in the EC2 Management Console. There should be several tabs available on the next screen: Quick Start, My AMIs, AWS Marketplace, Community AMIs. You want to select Community AMIs and then use the search box there.

    The public AMI ID listed for the EU is incorrect in the original post. The actual AMI ID to search for in the EU region is ami-b69874c1. All of the other AMI IDs appear to be valid if searched for as described above.

  17. Chris Buechler Says:

    Thanks Matt. I updated the AMI ID that was incorrect in the original post.

  18. Anushan R Says:

    What is the auto update link for these?

    It looks like the auto update for the EC2 is gone….

  19. Matthew Fisch Says:

    I’m deploying this into a lab scenario which is populated by promotional AWS credits, NFRs and demo licensing during the development cycle of a project Im working on.

    The free public AMI seems to run on actual windows instances and get billed at AWS rates which include windows licensing, while the netgate edition published in the marketplace correctly bills Linux/UNIX rates for the EC2 instance. I assume both versions use HVM or FreeBSD wouldn’t run.

    While I feel there’s probably some fiddling I can do to fix this with API calls and a relaunch (maybe there’s no way to force HVM on Linux/UNIX?) I can’t help but think the AMIs should be fixed.

    Thanks for any thoughts!

  20. Matt Smith Says:

    Anushan,

    There is no auto update link that is appropriate to be used with the EC2 image. When a new software release is available, an updated AMI will be released.

  21. Jim Thompson Says:

    Matthew,

    You are correct that both the public and paid versions of the pfSense images run in HVM mode. There isn’t likely to be any twiddling that you can do with API calls to change the usage rates you are charged for the public image (though if you manage to succeed, I’d love to hear about it). For the smaller instance sizes, the thing that determines whether your instance is “Windows” or “Linux” seems to be whether it runs in HVM or PV mode. AWS is able to make a distinction for the larger instance sizes offered through the marketplace, but for the smaller instances, the theory is that their licensing agreement with Microsoft is based on them paying for Windows licenses for all HVM instances.

  22. Jim Thompson Says:

    We’ll build a 2.1.1 after it is released.

  23. Matthew Fisch Says:

    That all makes sense, except in AWS Marketplace the appliance shows itemized pricing (netgate + ec2) where the ec2 pricing is linux (not higher windows rate) and os is listed as linux/unix.

    When I get more time I’ll probably build some up of each and see what happens.

    Thanks for taking time to respond I’ll let you know if I discover anything new.

  24. Matthew Fisch Says:

    For those interested, AWS recently opened the API to allow anyone to create HVM AMI’s without Microsoft tax:

    http://www.daemonology.net/blog/2014-02-16-FreeBSD-EC2-build.html

    Until end of 2013 or so, it was not possible to create an HVM Linux AMI without explicit help and approval from AWS.

    I saw the API hooks a few days ago — but at the time didn’t realize they were new.

    Good news for everyone here I suppose.

  25. Jim Thompson Says:

    That’s very interesting Matthew. We’ll look into it.

    Thanks!

  26. Joshua C. Forest Says:

    Any movement on a new AMI to fix the heartbleed bug? I tried installing the upgrade on a live system and it came back not recognizing our interfaces, and so, never fully boots :(

  27. Jim Thompson Says:

    Amazon has them, but hasn’t put them in-place, yet.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply