Setup Guides: Additional Azure setup guide for two nic scenarios #767
+116
−0
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| ================================================================== | ||
| OPNsense Azure Virtual Appliance Setup - 2 Network Interface Cards | ||
| ================================================================== | ||
| After deploying the OPNsense Azure market image, the Virtual Machine will have a single | ||
| network interface card which OPNsense configures as a LAN interface. To | ||
| support use cases that involve routing outbound traffic through the firewall, you will need | ||
| to add a second network interface card to the VM to serve as a WAN interface. This guide will | ||
| demonstrate one way to accomplish this. | ||
|
|
||
| Suggested reading on the Azure Platform includes but is not limited to: | ||
| `Routing traffic to an NVA <https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table?tabs=portal>`_ | ||
| , `User Defined Routing <https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview>`_ | ||
| , `Troubleshooting NVAs <https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-nva?tabs=portal>`_ | ||
| , `Deploying highly available NVAs <https://learn.microsoft.com/en-us/azure/architecture/networking/guide/network-virtual-appliance-high-availability>`_ | ||
|
|
||
| .. Tip:: | ||
|
|
||
| Azure Bastion can provide RDP to a VM or SSH access through Azure network routes, | ||
| which can be helpful while making changes that can affect external connectivity. | ||
|
|
||
| ------------------------------------- | ||
| Azure Setup : Network Interface Cards | ||
| ------------------------------------- | ||
| Create and attach a second network interface card to the virtual machine (requires VM shutdown.) | ||
| Set the networkinterface card to separate, dedicated WAN subnet in your Azure Virtual Network. | ||
|
|
||
| .. image:: images/azure_deploy2nics_nicattach.png | ||
| :width: 100% | ||
|
|
||
| Importantly, turn on IP Forwarding for both network interface cards. This setting, which | ||
| is off by default, allows the VM to accept and send traffic for destinations other than itself. | ||
|
|
||
| .. image:: images/azure_deploy2nics_ipforwarding.png | ||
| :width: 100% | ||
|
|
||
| Boot the firewall VM again after completing these steps. | ||
|
|
||
| .. Tip:: | ||
|
|
||
| Now is a good time to also set the IP configurations on both network interface cards to | ||
| static as they default to dynamic. | ||
|
|
||
| ---------------------------------------- | ||
| OPNsense Setup : Interface Configuration | ||
| ---------------------------------------- | ||
| Next, update the OPNsense configuration to set the newly added network | ||
| interface card as the WAN interface. | ||
|
|
||
| Navigate to :menuselection:`Interfaces--> Assignments` to set the newly available device | ||
| as the WAN interface. After adding, enable the new interface and set the IPv4 configuration | ||
| to DHCP. Once you have this interface configured, set up an appropriate firewall | ||
| rule to provide access inbound to management ports if accessing externally. | ||
|
|
||
| .. Warning:: | ||
|
|
||
| Be aware of the risk of exposing management ports externally. Narrow allowance scope if possible. | ||
|
|
||
| -------------------------------------- | ||
| OPNsense Setup : Gateway Configuration | ||
| -------------------------------------- | ||
|
|
||
| .. Danger:: | ||
|
|
||
| The following change will break public routing to LAN interface. If you are managing the | ||
| firewall externally, ensure you have the inbound rule set up to provide access to your IP | ||
| from the WAN interface. | ||
|
|
||
| Then from :menuselection:`System--> Gateways --> Configuration` define an outbound route | ||
| through WAN interface. This will need to be set to the Azure subnet gateway, which exists at | ||
| the first IP of the subnet (e.g. 172.16.0.1 for 172.16.0.0/24) After this is completed, set | ||
| the priority of this gateway lower than the existing LAN gateway as this will be the desired | ||
| default outbound route. At this point if connecting externally, routing asymmetry will break | ||
| any external connectivity to the LAN interface. | ||
|
|
||
| ---------------------- | ||
| Azure Setup: Public IP | ||
| ---------------------- | ||
| You will need to assign a public IP to the network interface card for your WAN interface. Disassociating | ||
| the public IP from the LAN NIC and associating to the WAN NIC is convenient because the public IP | ||
| will no longer be useful on the LAN NIC and it can otherwise be removed. | ||
|
|
||
| ------------------------------------ | ||
| Azure Setup: Network Security Groups | ||
| ------------------------------------ | ||
|
|
||
| It is also necessary that the WAN NIC has a Network Security Group attached to it. This is necessary to | ||
| satisfy the requirements of the Standard SKU Public IP, which will otherwise deny traffic without an NSG | ||
| attached. Since the OPNsense is a network firewall, setting an Any-to-Any rule for both Inbound and Outbound | ||
| rules to bypass the NSG is typical. | ||
|
|
||
| .. image:: images/azure_deploy2nics_nsgrules.png | ||
| :width: 100% | ||
|
|
||
| Furthermore, the NSG attached to the LAN NIC can be detached to avoid complications. | ||
|
|
||
| After doing this, you should be able to reconnect to the OPNsense for external management. | ||
|
|
||
| ----------------------------- | ||
| OPNsense Setup : Outbound NAT | ||
| ----------------------------- | ||
| You will need to configure outbound NAT manually for the WAN interface. See the OPNsense NAT | ||
|
There was a problem hiding this comment. assigning the gateway to wan should have the same effect, both are options. I'm just not 100% what our default configuration is for the configured lan interface as this should not have the gateway selected on the interface. |
||
| documentation section if necessary. | ||
|
|
||
| ------------------------- | ||
| Azure Setup : Route Table | ||
| ------------------------- | ||
| The components are in place to enable routing subnet traffic through the OPNsense firewall. Deploy a | ||
| new route table in Azure. For the route table, define a route for 0.0.0.0/0 with the next hop as the | ||
| internal ip the OPNsense LAN interface. Associate this route table with your LAN subnet. Confirm you | ||
| have outbound connectivity through the firewall. | ||
|
|
||
| .. image:: images/azure_deploy2nics_routetable.png | ||
| :width: 100% | ||
|
|
||
| The environment will now be configured for the internal LAN subnet to utilize the OPNsense firewall | ||
| as a gateway. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
didn't the wan interface receive a valid gateway via dhcp already? if that's the case, you probably just want to disable the one on lan and check gateway choices at both interfaces.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Azure doesn't appear offer a gateway in the DHCP response to a "secondary" network interface card nor offer a way to. It is possible to swap which network card is marked primary using the Azure command line, but in testing this out I find that Azure then initiates the new primary NIC to the OS with the same "hn0" interface name that the LAN interface previously had and subsequently comes in under the LAN configuration in OPNsense. Given this is might make sense to reconfigure the initial interface via the console as the "WAN" interface. Thinking it over now I do think that would be cleaner, although I would note I would expect many people to need to resort to manual Gateway configuration anyways to route specifically through the "LAN" interface for traffic to additional subnets or peered virtual networks internally in Azure. Appreciate your thoughts.