Table of Contents
PFSense - Install pfSense - Reboot and Verify
Restart the pfSense device and connect your modem to your WAN port if you haven’t already.
The system should boot and allow you to log back into the dashboard where if everything is correct, the WAN interfaces will have IP addresses allocated to them.
Also connect up a managed switch to allow the various subnets (VLANs) to work correctly.
NOTE: Check that everything is okay.
Navigate to Status → System Logs if needed.
Verify DHCP
Connect to each subnet in turn and verify a client receives an appropriate address from the associated DHCP pool.
Heres the connection when connected to the CLEAR network where a 192.168.50.100 address has been awarded.
ifconfig en0 en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 ether xx:xx:xx:xx:xx:xx inet6 fe80::bae8:56ff:fe30:905e%en0 prefixlen 64 scopeid 0x4 inet 192.168.50.100 netmask 0xffffff00 broadcast 192.168.50.255 nd6 options=1<PERFORMNUD> media: autoselect status: active
Verify DNS
We have three methods of DNS resolution to verify:
- LAN: Uses Resolver for local and non-local lookups. External DNS servers requests are redirected back to pfSense.
- CLEAR: Uses public DNS resolvers.
- IOT: Uses Resolver for local and non-local lookups. External DNS servers requests are redirected back to pfSense.
- GUEST: Uses Resolver or public DNS resolvers.
LAN
Verify DNS Resolver resolution
dig pfsense.org ; <<>> DiG 9.10.6 <<>> pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20952 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 261 IN A 208.123.73.69 ;; Query time: 2 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Mar 27 14:26:22 PDT 2020 ;; MSG SIZE rcvd: 56
Verify non-local DNS Resolver resolution.
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org ; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 232 IN A 208.123.73.69 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Mar 27 14:26:51 PDT 2020 ;; MSG SIZE rcvd: 56
NOTE: The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
Verify DNS Resolver’s local name resolution
Use nslookup to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
nslookup pfsense.localdomain
returns:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: pfsense.localdomain
Address: 192.168.1.1
Resolve the pfSense hostname:
dig pfsense.localdomain ; <<>> DiG 9.16.1-Ubuntu <<>> pfsense.localdomain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10381 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;pfsense.localdomain. IN A ;; ANSWER SECTION: pfsense.localdomain. 3600 IN A 192.168.1.1 ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Tue Jan 05 18:45:48 GMT 2021 ;; MSG SIZE rcvd: 64
Verify DNS Resolver reverse resolution
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1 1.1.168.192.in-addr.arpa. 3600 IN PTR pfSense.localdomain.
Verify DNS Resolver ‘.localdomain’ domain resolution
My DNS Resolver is defined as authoritative for my .localdomain domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain ; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nothere.localdomain. IN A ;; AUTHORITY SECTION: localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800 ;; Query time: 4 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Aug 27 10:22:30 2017 ;; MSG SIZE rcvd: 84
CLEAR
Verify DNS Resolver resolution
dig pfsense.org ; <<>> DiG 9.10.6 <<>> pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 87 IN A 208.123.73.69 ;; Query time: 17 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Fri Mar 27 15:01:40 PDT 2020 ;; MSG SIZE rcvd: 56
NOTE: The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
Verify non-local DNS Resolver resolution.
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org ; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 232 IN A 208.123.73.69 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Mar 27 14:26:51 PDT 2020 ;; MSG SIZE rcvd: 56
Verify DNS Resolver’s local name resolution
Use nslookup to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
dig pfsense.localdomain ; <<>> DiG 9.10.6 <<>> pfsense.localdomain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.localdomain. IN A ;; ANSWER SECTION: pfsense.localdomain. 3600 IN A 192.168.1.1 ;; Query time: 2 msec ;; SERVER: 192.168.50.1#53(192.168.50.1) ;; WHEN: Fri Mar 27 14:35:35 PDT 2020 ;; MSG SIZE rcvd: 62
Verify DNS Resolver reverse resolution
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1 1.1.168.192.in-addr.arpa. 3240 IN PTR pfSense.localdomain.
Verify DNS Resolver ‘.localdomain’ domain resolution
My DNS Resolver is defined as authoritative for my .localdomain domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain ; <<>> DiG 9.8.3-P1 <<>> nothere.local.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nothere.localdomain. IN A ;; AUTHORITY SECTION: localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800 ;; Query time: 4 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Aug 27 10:22:30 2017 ;; MSG SIZE rcvd: 84
IOT
Verify DNS Resolver resolution
dig pfsense.org ; <<>> DiG 9.10.6 <<>> pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20952 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 261 IN A 208.123.73.69 ;; Query time: 2 msec ;; SERVER: 192.168.70.1#53(192.168.70.1) ;; WHEN: Fri Mar 27 14:26:22 PDT 2020 ;; MSG SIZE rcvd: 56
Verify non-local DNS Resolver resolution.
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org ; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 232 IN A 208.123.73.69 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Mar 27 14:26:51 PDT 2020 ;; MSG SIZE rcvd: 56
NOTE: The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
Verify DNS Resolver’s local name resolution
Use nslookup to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
dig pfsense.localdomain ; <<>> DiG 9.10.6 <<>> pfsense.localdomain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.localdomain. IN A ;; ANSWER SECTION: pfsense.localdomain. 3600 IN A 192.168.1.1 ;; Query time: 2 msec ;; SERVER: 192.168.70.1#53(192.168.70.1) ;; WHEN: Fri Mar 27 14:35:35 PDT 2020 ;; MSG SIZE rcvd: 62
Verify DNS Resolver reverse resolution
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1 1.1.168.192.in-addr.arpa. 3098 IN PTR pfSense.localdomain.
Verify DNS Resolver ‘.localdomain’ domain resolution
My DNS Resolver is defined as authoritative for my local.lan domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain ; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nothere.localdomain. IN A ;; AUTHORITY SECTION: localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800 ;; Query time: 4 msec ;; SERVER: 192.168.70.1#53(192.168.70.1) ;; WHEN: Sun Aug 27 10:22:30 2017 ;; MSG SIZE rcvd: 84
GUEST
Verify DNS Resolver resolution
dig pfsense.org ; <<>> DiG 9.10.6 <<>> pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 87 IN A 208.123.73.69 ;; Query time: 17 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Fri Mar 27 15:01:40 PDT 2020 ;; MSG SIZE rcvd: 56
NOTE: The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
Verify non-local DNS Resolver resolution.
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org ; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.org. IN A ;; ANSWER SECTION: pfsense.org. 232 IN A 208.123.73.69 ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Mar 27 14:26:51 PDT 2020 ;; MSG SIZE rcvd: 56
Verify DNS Resolver’s local name resolution
Use nslookup to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
dig pfsense.local.lan ; <<>> DiG 9.10.6 <<>> pfsense.local.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.localdomain. IN A ;; ANSWER SECTION: pfsense.localdomain. 3600 IN A 192.168.1.1 ;; Query time: 2 msec ;; SERVER: 192.168.99.1#53(192.168.99.1) ;; WHEN: Fri Mar 27 14:35:35 PDT 2020 ;; MSG SIZE rcvd: 62
Verify DNS Resolver reverse resolution
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1 1.1.168.192.in-addr.arpa. 2988 IN PTR pfSense.localdomain.
Verify DNS Resolver ‘.localdomain’ domain resolution
My DNS Resolver is defined as authoritative for my .localdomain domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain ; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nothere.localdomain. IN A ;; AUTHORITY SECTION: localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800 ;; Query time: 4 msec ;; SERVER: 192.168.99.1#53(192.168.99.1) ;; WHEN: Sun Aug 27 10:22:30 2017 ;; MSG SIZE rcvd: 84
Verify IOT Isolation
Connect to the IOT network and verify you can’t access the pfSense web configurator.
Also verify you can’t access other systems and local devices you have connected to other subnets.
Verify GUEST Isolation
Connect to the GUEST network and verify you can’t access the pfSense web configurator.
Also verify you can’t access other systems and local devices you have connected to other subnets.
FINISHED: