Sunday, November 12, 2017

using t1n1wall, opnsense or pfsense on Google Compute Engine GCE

I have been doing some work in GCP recently, both appengine , and GCE.  We wanted to make sure all our instances were on private ips and only the LBs had internet ips.

This gave us the problem of how to allow our instances reach the internet for updates or for api calls outside.

In AWS you had a NAT gateway, but in GCP this doesn't exist. So I set about looking at the easiest way to do NAT from a private IP subnet to a Public address.  I am very familiar with m0n0wall and t1n1wall and a tiny bit with pfsense and less with opnsense.

The tl;dr is that all these distributions ship an image which within the distribution there is a disk image.  Taking this internal image, renaming it and re-compressing it is all you need to do to get it working in GCE. you can configure it via the serial port using these instructions

 There are guides out there around doing things with Linux and stuff, but you can skip that step.

I took the latest version of t1n1wall 2.11 , got the simple amd64 serial version and 

1) decompressed it
2) renamed image.bin to disk.raw
3) recompressed it to a tar.gz  (see here)
4) Copy to a google bucket
5) in GCE -> Images, create a new image from that file in a bucket
6) create an instance from that new image , configure networks, boot and configure via serial port

For pfsense, it's a bit more complex, as the image you boot is an installer image, that expects to install to a disk, so when making the instance, add a second disk, then install to it, then make an image of that disk

For opnsense, use the nano image as it's a live image, not an installer

Voila !  I prefer t1n1wall for this as it's so simple, and runs on cheaper virts better.

No comments:

load testing