Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:pfsense_configuration [2021/01/05 13:20] – [DNS Server Settings] peter
+++ pfsense:install_pfsense:pfsense_configuration [2023/04/22 08:31] (current) – peter
@@ Line 7: / Line 7: @@
 In **DNS Server Settings**:
-  * DNS servers:  **Any DNS Servers you want to use**.  The Servers here are **not** going to be used, as long as Unbound is not working in Forwarding Mode, so just leave it as default, since we are using the **Resolver** Option for Unbound.
+  * DNS servers:  **Any DNS Servers you want to use**.  The Servers here are **not** going to be used, as long as Unbound is not working in Forwarding Mode, so just leave it as default, since we will be using the **Resolver** Option for Unbound.
-    * Use Gateway:  **none**.  Only needed on Multi-WAN networks.  As Unbound will be doing the Resolving, these  configuration they are not used anyway.
+    * Use Gateway:  **none**.  Only needed on Multi-WAN networks.  As Unbound will be doing the Resolving, these  configuration are not used anyway.
   * DNS Server Override:  **Not Checked**.  To prevent any DNS configuration setup on the system being overridden by the ISP or other applications.
-  * Disable DNS Forwarder:  **Not Checked**.  To have pfSense use it's local cache for lookups.
+  * Disable DNS Forwarder:  **Not Checked**.  To have pfSense use its local cache for lookups.
-  * Click **Save**.
 <WRAP info>
@@ Line 21: / Line 20: @@
 {{:pfsense:install_pfsense:pfsense_-_system_-_general_setup_-_dns_server_settings.png?800|}}
+  * Click **Save**.
 ----
@@ Line 31: / Line 32: @@
   * Dashboard Columns:  **3**.
-  * Click **Save**.
 <WRAP info>
 **NOTE:**  The number of Dashboard Columns is personal preference.  Change as needed.
 </WRAP>
+{{:pfsense:install_pfsense:pfsense_-_system_-_general_setup_-_webconfigurator.png?800|}}
+  * Click **Save**.
 ----
@@ Line 49: / Line 53: @@
   * Allow Agent Forwarding:  **Not Checked**.
   * SSH Port:  **22**.
-  * Click **Save**.
 {{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_admin_access_-_secure_shell.png?800|}}
+  * Click **Save**.
 <WRAP info>
@@ Line 61: / Line 66: @@
 </WRAP>
 ----
@@ Line 73: / Line 80: @@
   * Firewall Maximum States:  **<leave at default>**.  Default.
   * Firewall maximum table entries:  **1000000**. Possibly increased from default setting.
+{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_firewall_nat_-_firewall_advanced.png?800|}}
 In **Bogon Networks**:
   * Update Frequency:  **Monthly**.
-  * Click **Save**.
 <WRAP info>
@@ Line 89: / Line 97: @@
 </WRAP>
+{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_firewall_nat_-_bogon_networks.png?800|}}
+  * Click **Save**.
@@ Line 105: / Line 119: @@
 </WRAP>
+{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_networking_-_ipv6_options.png?800|}}
 In **Network Interfaces**:
@@ Line 113: / Line 128: @@
   * Suppress ARP handling:  **Not Checked**.
   * Reset All States:  **Not Checked**.
+{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_networking_-_network_interfaces.png?800|}}
   * Click **Save**.
@@ Line 128: / Line 145: @@
   * Battery Power:  **Hiadaptive**.
   * Unknown Power:  **Hiadaptive**.
+{{:pfsense:install_pfsense:pfsense_-_my_configuration_-_system_-_advanced_-_miscellaneous_-_power_savings.png?600|}}
 In **Cryptographic & Thermal Hardware**:
@@ Line 137: / Line 156: @@
 **NOTE:**  The **Cryptographic Hardware** is assuming an AES-NI enabled Processor.
 </WRAP>
+{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_miscellaneous_-_cryptographic_thermal_hardware.png?800|}}
 In **Gateway monitoring**:
   * State Killing on Gateway Failure:  **Not Checked**.
-  * Skip rules when gateway is down:  **Checked**.
+  * Skip rules when gateway is down:  **Not Checked**.
+<WRAP alert>
+**ALERT:**  Take special note of the **Skip rules when gateway is down** option.
+One might think that with the check mark unchecked, means that it skips rules when the gateway is down.  But no, it means just the opposite!
+  * By default, when a rule has a specific gateway set, and this gateway is down, a rule is created and traffic is sent to default gateway.
+  * This option overrides that behavior and the rule is not created when gateway is down.
+The end result is that if the rules are routing your private traffic over a VPN, but then the VPN goes down for some reason, the system silently routes your traffic to the default network.
+  * Not even the firewall logs provide an alert.
+  * They even show the defined gateway rules still executing properly!
+If there is a need to still allow a computer to access the internet anytime (even when VPN is down) then a rule will be needed in **Firewall -> Rules -> LAN** to allow the internal IP address there.
+  * If this access if only needed when the VPN is down, then put it in the LAN firewall rules list after the normal policy-routing rule for VPN traffic.
+  * That way it only comes into play when the VPN is down.
+</WRAP>
 <WRAP info>
 **NOTE:**  These are important settings to reduce the chance of leaks in the event the VPN goes down for any reason.
 </WRAP>
+{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_miscellaneous_-_gateway_monitoring.png?800|}}
   * Click **Save**.