CI Name | Actions Workflow | CI Status |
---|---|---|
BicepBuild | bicepBuild.yml | |
Deployment Checker - Active Active | deploymentChecker-active-active.yml | |
Deployment Checker - two nics | deploymentChecker-two-nics.yml | |
Deployment Checker - new vnet Active Active | deploymentChecker-newvnet-active-active.yml | |
Deployment Checker - new vnet two nics | deploymentChecker-newvnet-two-nics.yml |
Deployment Wizard
The template allows you to deploy an OPNsense Firewall VM using the opnsense-bootsrtap installation method. It creates an FreeBSD VM, does a silent install of OPNsense using a modified version of opnsense-bootstrap.sh with the settings provided.
OPNSense is based in FreeBSD what is the official OS image publisher in Azure. This template deploys a FreeBSD 14.1 VM and installs OPNSense using the opnsense-bootstrap installation method. For the first deployment in an Azure Subscription it's required to accept the legal terms of the Offer with PublisherId: 'thefreebsdfoundation', OfferId: 'freebsd-14_1'.
You can accept it using either Azure CLI or Azure PowerShell as follow:
az vm image terms accept --urn thefreebsdfoundation:freebsd-14_1:14_1-release-amd64-gen2-zfs:14.1.0 -o none
Get-AzMarketplaceTerms -Publisher 'thefreebsdfoundation' -Product 'freebsd-14_1' -Name '14_1-release-amd64-gen2-zfs' -OfferType 'latest' | Set-AzMarketplaceTerms -Accept
The login credentials are set during the installation process to:
Please Change default password!!! (In case of using Active-Active scenario the password must be changed in both Firewalls and under High availability settings)
After deployment, you can go to https://PublicIP, then input the user and password, to configure the OPNsense firewall. In case of Active-Active the URL should be https://PublicIP:50443 for Primary server and https://PublicIP:50444 for Secondary server.
This OPNsense solution is installed in FreeBSD 12.0 (Azure Image). Here is what you will see when you deploy this Template:
There are 2 different deployment scenarios:
Active-Active: 1) VNET with Two Subnets and OPNsense VM with two NICs. 2) VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that). 3) External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24). 4) Internal NIC named Trusted Linked to Trusted-Subnet (10.0.1.0/24). 5) It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS. Same NSG is associated to both Subnets. 6) Active-Active a Internal and External loadbalancer will be created. 7) Two OPNsense firewalls will be created. 8) OPNsense will be configured to allow loadbalancer probe connection. 9) OPNsense HA settings will be configured to sync rules changed between both Firewalls. 10) Option to deploy Windows management VM. (This option requires a management subnet to be created)
TwoNics: 1) VNET with Two Subnets and OPNsense VM with two NICs. 2) VNET Address space is: 10.0.0.0/16 (suggested Address space, you may change that). 3) External NIC named Untrusted Linked to Untrusted-Subnet (10.0.0.0/24). 4) Internal NIC named Trusted Linked to Trusted-Subnet (10.0.1.0/24). 5) It creates a NSG named OPN-NSG which allows incoming SSH and HTTPS. Same NSG is associated to both Subnets. 6) Option to deploy Windows management VM. (This option requires a management subnet to be created)
Design of two Nic deployment | Design of Active-Active deployment |
---|---|
Here are few considerations to deploy this solution correctly:
Note: It takes about 10 min to complete the whole process when VM is created and a new VM CustomScript is started to install OPNsense.
Build custom deployment form
Please use Github issues tab to provide feedback.
Thanks for direct feedbacks and contributions from: Adam Torkar, Brian Wurzbacher, Victor Santana and Brady Sondreal, and many others shown on this repository as contributors.