Azure – User Defined Routing for one subnet with PFsense

My goal: Setup a pfsense in azure so I can route all my traffic through that. I didn’t want two subnets for this since I already had my VMs deployed. I also wanted to get over the “only 1 ikev1 tunnel” in Azure. I was setting up site to site VPNs with Meraki MX64s which only support IKEv1. I needed multiple tunnels, hence the pfsense. I initially had a UTM at acolocation but the IPSEC tunnels became unstable so I decided to converge verything to Azure, properly.

I’m a big proponent of powershell, and at the moment that’s the only way to do azure user defined routing here.
The steps:

Install-Module AzureRM
#installs the azure module for powershell (run as admin)

#brings up the azure login page to authenticate the powershell session

Get-AzureRmSubscription | Select-AzureRmSubscription
#gets your subscription and sets it as active

$routes = @()
#creates an empty collection to hold multiple routes

$route = New-AzureRmRouteConfig -Name RouteToINF -AddressPrefix "" `
-NextHopType VirtualAppliance -NextHopIpAddress
$routes += $route
$route2 = New-AzureRmRouteConfig -Name RouteToINF2 -AddressPrefix "" `
-NextHopType VirtualAppliance -NextHopIpAddress
$routes += $route2

#create route table
#replace INF with your resourcegroup name
#replace central us with your location
#the name can be anything
#make sure to get the proper VNET name
#make sure to get the proper SUBNET of the VNET name, the default is called "default"
#then put your subnet on the last line
$routeTable = New-AzureRmRouteTable -ResourceGroupName INF -Location centralus -Name InfRouteTable -Route $routes
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName INF -Name INFNET
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name INFCLOUD -AddressPrefix -RouteTable $routeTable
#sets route table
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#I created two route objects here, named them uniquely, set my destination subnet, and my nexthop, then I added each object to the collection. The networks I wanted to reach over the Pfsense in azure were and, the pfsense VM in my azure network is

Things to note: You need to make sure you enable IP forwarding within each network interface of your Pfsense, one nic needs to have a public IP.Make sure both the public and private IPs are static or else a reboot can cause some serious troubleshooting issues.
You should make sure you have NAT traversal on for your pfsense and other side of the IPSEC tunnels. This scales very well and can really help get over the limitation of 1 IKEv1 tunnel in Azure. I now have about 20 IPSEC tunnels running over a PFsense in azure.

Leave a comment