Introduction
This tutorial shows how to route cloud servers over private network using pfSense and “Hetzner Cloud Networks”.
hcloud-CLI will be used in this tutorial. It can also be done with the Cloud console.
Why should a server route the traffic over a private network?
The advantage to route the traffic over private networking is that the client servers can be protected by a firewall and are only accessible through the internal IP address. If the public interface of the client servers is disabled, the only access is via the router. It uses NAT (…) to hide the internal network from the public Internet.
Prerequisites
Following things are required:
- two (2) cloud server (one as pfSense, the other one as client)
- a private network range
- hcloud-CLI
- Cloud console
Step 1 – Set up the environment
Before anything can be done, the router and the client have to be created. A CX11 as router is enough for the purpose.
To create the servers the following commands have to be executed (the image which will used on the router has no matter):
hcloud server create --name router --type cx11 --image ubuntu-18.04
hcloud server create --name private-client --type cx11 --image ubuntu-18.04If this is done, the private network can be created.
hcloud network create --name nat-network --ip-range 10.0.0.0/16The network needs also a subnet. This tutorial will use the ip range 10.0.0.0/24 in zone eu-central, which includes hel1, fsn1 and nbg1.
hcloud network add-subnet nat-network --network-zone eu-central --type server --ip-range 10.0.0.0/24The servers needs to get attached to the network. A specification of an IP-address to the router should be done because the traffic will be routed over this server. The usage of 10.0.0.1 is not possible because this ip is already used to route the packages over multiple hosts.
hcloud server attach-to-network router --network nat-network --ip 10.0.0.2
hcloud server attach-to-network private-client --network nat-networkTo route the whole traffic to the router in private network, a route is needed. The destination is 0.0.0.0/0 (every ip in every subnet) and the gateway is 10.0.0.2 (the router).
hcloud network add-route nat-network --destination 0.0.0.0/0 --gateway 10.0.0.2Step 2 – Set up the pfSense server
To install pfSense on the router server, mount the image first.
hcloud server attach-iso router pfSense-CE-2.4.4-RELEASE-amd64.isoThe ISO name depends on the version. It’s possible that the ISO may be is a newer version.
When the ISO is mounted, a reboot/reset of the server is needed and start a web console to perform the installation.
hcloud server reset routerThe web console can be opened in Cloud console.
Perform the installation with the guide.
When the installation is done the ISO can be detached.
hcloud server detach-iso routerWhen pfSense is booted, there is a dialog if VLANs should be configured. Type in n and press enter.
For the WAN interface use vtnet0. Leave LAN interface empty. LAN interface gets set up later.
Confirm the changes with y, if WAN is vtnet0.
The router is now accessible in browser. Log in with user name admin and password pfsense.
Follow the installation guide.
On step 4, un-check the option Block bogon networks.
Go to Interfaces -> Assignments and add the interface vtnet1. Now, go to Interfaces -> LAN and configure it.
Set the IPv4 Configuration Type to DHCP and check Enable interface.
Before applying the changes, go to System -> Routing -> Static Routes and create a new route:
Destination network: 10.0.0.0/16
Gateway: 10.0.0.1
Description: Make private network reachable for pfSenseApply the changes and go back to Interfaces -> LAN and also apply the changes.
Go to System -> Advanced -> Networking and enable Disable hardware checksum offload under Network Interfaces and click Save.
Then, go to Firewall -> NAT -> Outbound and set the Outbound NAT Mode to Hybrid Outbound NAT rule generation.
Create the following mapping rule:
Interface: WAN
Address Family: IPv4+IPv6
Protocol: any
Source: 10.0.0.0/16
Destination: any
Translation -> Address: Interface AddressSave and do not apply the changes!
Go to Firewall -> Rules -> LAN and edit the rule with description Default allow LAN to any rule.
Change the source from LAN net to any. Save and apply the changes.
Go to Firewall -> Rules -> WAN and create a new rule.
Action: Block
Interface: WAN
Address Family: IPv4+IPv6
Protocol: TCP/UDP
Source: any
Destination: this firewall (self)
Destination Port Range: From "HTTP (80)" to "HTTPS (443)"Click Save and apply the changes. Now go back to Firewall -> NAT -> Outbound and apply the changes. It may happen that the browser is caching the session. In this case, close the browser and re-open it. The pfSense UI should not be reachable with the public IP address anymore.
Step 3 – Set up the client server
On the client check if the private networking interface is attached. It can be done with the following command:
ip lIt should show an output like this:
root@private-client:~# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ffThe private network interface has the mtu 1450. In this case, it is ens10.
Edit the file /etc/network/interfaces.
Disabling the public interface
This is an optional step!
If the server should not be reachable with public ip address, the line source /etc/network/interfaces.d/*.cfg have to be commented out.
Otherwise cloud-init which configures the eth0 interface automatically, saves the network configuration for the public interface in this directory.
After the line is comment out, it should look like this:
#source /etc/network/interfaces.d/*.cfgConfigure route for private networking
Add the following configuration to /etc/network/interfaces:
auto ens10
iface ens10 inet dhcp
post-up ip route add default via 10.0.0.1Private networking by Hetzner Cloud is working on Layer 3 so a default route to the network gateway is needed.
Add the DNS servers by adding the line dns-nameservers 213.133.100.100 213.133.99.99 213.133.98.98 to /etc/network/interfaces under the post-up line.
If DNS is still not working systemd-resolved ignores this parameter.
In this case, DNS needs to be configured in file /etc/systemd/resolved.conf. There should be a line like #DNS under the line [Resolve]. Un-comment the DNS line by removing the # and type in some DNS servers or use the DNS servers by Hetzner:
DNS=213.133.100.100 213.133.99.99 213.133.98.98Save the file and restart the server.
If the public interface is disabled, there is no possibility to access the server with it’s external ip anymore.
Login via SSH over the router server or use the HTML5 console.
Try to ping a domain (e.g. fsn.icmp.hetzner.com) and if that works, check the tracepath with mtr if it’s route the traffic over the pfSense server.
The MTR should looks like this (mtr to fsn.icmp.hetzner.com on private-client):
HOST: private-client Loss% Snt Last Avg Best Wrst StDev
1.|-- _gateway 0.0% 1 4.0 4.0 4.0 4.0 0.0
2.|-- 10.0.0.2 0.0% 1 1.0 1.0 1.0 1.0 0.0
3.|-- 172.31.1.1 0.0% 1 1.3 1.3 1.3 1.3 0.0
4.|-- x.your-cloud.host 0.0% 1 0.2 0.2 0.2 0.2 0.0
5.|-- static.1.97.69.159.client 0.0% 1 18.9 18.9 18.9 18.9 0.0
6.|-- static.213-239-231-65.cli 0.0% 1 0.9 0.9 0.9 0.9 0.0
7.|-- core21.fsn1.hetzner.com 0.0% 1 0.6 0.6 0.6 0.6 0.0
8.|-- ex9k2.dc1.fsn1.hetzner.co 0.0% 1 0.4 0.4 0.4 0.4 0.0
9.|-- fsn.icmp.hetzner.com 0.0% 1 0.5 0.5 0.5 0.5 0.0Conclusion
This article shows the necessary steps for setting up a pfSense server to route the traffic from other servers over pfSense.
Leave a Reply