Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:reboot_and_verify [2020/12/02 00:26] – created peter
+++ pfsense:install_pfsense:reboot_and_verify [2021/01/05 19:00] (current) – peter
@@ Line 1: / Line 1: @@
 ====== PFSense - Install pfSense - Reboot and Verify ======
+Restart the pfSense device and connect your modem to your WAN port if you haven’t already.
+The system should boot and allow you to log back into the dashboard where if everything is correct, the WAN interfaces will have IP addresses allocated to them.
+Also connect up a managed switch to allow the various subnets (VLANs) to work correctly.
+<WRAP info>
+**NOTE:** Check that everything is okay.
+Navigate to **Status -> System Logs** if needed.
+</WRAP>
+----
+===== Verify DHCP =====
+Connect to each subnet in turn and verify a client receives an appropriate address from the associated DHCP pool.
+Heres the connection when connected to the CLEAR network where a 192.168.50.100 address has been awarded.
+<code bash>
+ifconfig en0
+en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
+    ether xx:xx:xx:xx:xx:xx
+    inet6 fe80::bae8:56ff:fe30:905e%en0 prefixlen 64 scopeid 0x4
+    inet 192.168.50.100 netmask 0xffffff00 broadcast 192.168.50.255
+    nd6 options=1<PERFORMNUD>
+    media: autoselect
+    status: active
+</code>
+----
+===== Verify DNS =====
+We have three methods of DNS resolution to verify:
+  * LAN: Uses Resolver for local and non-local lookups.  External DNS servers requests are redirected back to pfSense.
+  * CLEAR: Uses public DNS resolvers.
+  * IOT: Uses Resolver for local and non-local lookups.  External DNS servers requests are redirected back to pfSense.
+  * GUEST: Uses Resolver or public DNS resolvers.
+----
+==== LAN ====
+=== Verify DNS Resolver resolution ===
+<code bash>
+dig pfsense.org
+; <<>> DiG 9.10.6 <<>> pfsense.org
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20952
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		261	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 192.168.1.1#53(192.168.1.1)
+;; WHEN: Fri Mar 27 14:26:22 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+----
+=== Verify non-local DNS Resolver resolution. ===
+Force the DNS query to use Google's DNS server (8.8.8.8).
+This should be redirected back to the pfSense DNS resolver for lookup.
+<code bash>
+dig @8.8.8.8 pfsense.org
+; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		232	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Mar 27 14:26:51 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+<WRAP info>
+**NOTE:**  The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
+</WRAP>
+----
+=== Verify DNS Resolver’s local name resolution ===
+Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
+<code bash>
+nslookup pfsense.localdomain
+</code>
+returns:
+<code bash>
+Server:		127.0.0.53
+Address:	127.0.0.53#53
+Non-authoritative answer:
+Name:	pfsense.localdomain
+Address: 192.168.1.1
+</code>
+Resolve the pfSense hostname:
+<code bash>
+dig pfsense.localdomain
+; <<>> DiG 9.16.1-Ubuntu <<>> pfsense.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10381
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 65494
+;; QUESTION SECTION:
+;pfsense.localdomain.		IN	A
+;; ANSWER SECTION:
+pfsense.localdomain.	3600	IN	A	192.168.1.1
+;; Query time: 0 msec
+;; SERVER: 127.0.0.53#53(127.0.0.53)
+;; WHEN: Tue Jan 05 18:45:48 GMT 2021
+;; MSG SIZE  rcvd: 64
+</code>
+----
+=== Verify DNS Resolver reverse resolution ===
+Verify you can resolve a hostname from an IP address.
+<code bash>
+dig +noall +answer -x 192.168.1.1
+.1.168.192.in-addr.arpa. 3600	IN	PTR	pfSense.localdomain.
+</code>
+----
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
+My DNS Resolver is defined as authoritative for my .localdomain domain.
+If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
+<code bash>
+dig nothere.localdomain
+; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
+;; QUESTION SECTION:
+;nothere.localdomain.    IN  A
+;; AUTHORITY SECTION:
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
+;; Query time: 4 msec
+;; SERVER: 192.168.1.1#53(192.168.1.1)
+;; WHEN: Sun Aug 27 10:22:30 2017
+;; MSG SIZE  rcvd: 84
+</code>
+----
+==== CLEAR ====
+=== Verify DNS Resolver resolution ===
+<code bash>
+dig pfsense.org
+; <<>> DiG 9.10.6 <<>> pfsense.org
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		87	IN	A	208.123.73.69
+;; Query time: 17 msec
+;; SERVER: 1.1.1.1#53(1.1.1.1)
+;; WHEN: Fri Mar 27 15:01:40 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+<WRAP info>
+**NOTE:**  The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
+</WRAP>
+----
+=== Verify non-local DNS Resolver resolution. ===
+Force the DNS query to use Google's DNS server (8.8.8.8).
+This should be redirected back to the pfSense DNS resolver for lookup.
+<code bash>
+dig @8.8.8.8 pfsense.org
+; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		232	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Mar 27 14:26:51 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+----
+=== Verify DNS Resolver’s local name resolution ===
+Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
+<code bash>
+dig pfsense.localdomain
+; <<>> DiG 9.10.6 <<>> pfsense.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.localdomain.		IN	A
+;; ANSWER SECTION:
+pfsense.localdomain.	3600	IN	A	192.168.1.1
+;; Query time: 2 msec
+;; SERVER: 192.168.50.1#53(192.168.50.1)
+;; WHEN: Fri Mar 27 14:35:35 PDT 2020
+;; MSG SIZE  rcvd: 62
+</code>
+----
+=== Verify DNS Resolver reverse resolution ===
+Verify you can resolve a hostname from an IP address.
+<code bash>
+dig +noall +answer -x 192.168.1.1
+.1.168.192.in-addr.arpa. 3240	IN	PTR	pfSense.localdomain.
+</code>
+----
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
+My DNS Resolver is defined as authoritative for my .localdomain domain.
+If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
+<code bash>
+dig nothere.localdomain
+; <<>> DiG 9.8.3-P1 <<>> nothere.local.lan
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
+;; QUESTION SECTION:
+;nothere.localdomain.     IN  A
+;; AUTHORITY SECTION:
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
+;; Query time: 4 msec
+;; SERVER: 192.168.1.1#53(192.168.1.1)
+;; WHEN: Sun Aug 27 10:22:30 2017
+;; MSG SIZE  rcvd: 84
+</code>
+----
+==== IOT ====
+=== Verify DNS Resolver resolution ===
+<code bash>
+dig pfsense.org
+; <<>> DiG 9.10.6 <<>> pfsense.org
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20952
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		261	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 192.168.70.1#53(192.168.70.1)
+;; WHEN: Fri Mar 27 14:26:22 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+----
+=== Verify non-local DNS Resolver resolution. ===
+Force the DNS query to use Google's DNS server (8.8.8.8).
+This should be redirected back to the pfSense DNS resolver for lookup.
+<code bash>
+dig @8.8.8.8 pfsense.org
+; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		232	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Mar 27 14:26:51 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+<WRAP info>
+**NOTE:**  The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
+</WRAP>
+----
+=== Verify DNS Resolver’s local name resolution ===
+Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
+<code bash>
+dig pfsense.localdomain
+; <<>> DiG 9.10.6 <<>> pfsense.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.localdomain.		IN	A
+;; ANSWER SECTION:
+pfsense.localdomain.	3600	IN	A	192.168.1.1
+;; Query time: 2 msec
+;; SERVER: 192.168.70.1#53(192.168.70.1)
+;; WHEN: Fri Mar 27 14:35:35 PDT 2020
+;; MSG SIZE  rcvd: 62
+</code>
+----
+=== Verify DNS Resolver reverse resolution ===
+Verify you can resolve a hostname from an IP address.
+<code bash>
+dig +noall +answer -x 192.168.1.1
+.1.168.192.in-addr.arpa. 3098	IN	PTR	pfSense.localdomain.
+</code>
+----
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
+My DNS Resolver is defined as authoritative for my local.lan domain.
+If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
+<code bash>
+dig nothere.localdomain
+; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
+;; QUESTION SECTION:
+;nothere.localdomain.     IN  A
+;; AUTHORITY SECTION:
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
+;; Query time: 4 msec
+;; SERVER: 192.168.70.1#53(192.168.70.1)
+;; WHEN: Sun Aug 27 10:22:30 2017
+;; MSG SIZE  rcvd: 84
+</code>
+----
+==== GUEST ====
+=== Verify DNS Resolver resolution ===
+<code bash>
+dig pfsense.org
+; <<>> DiG 9.10.6 <<>> pfsense.org
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		87	IN	A	208.123.73.69
+;; Query time: 17 msec
+;; SERVER: 1.1.1.1#53(1.1.1.1)
+;; WHEN: Fri Mar 27 15:01:40 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+<WRAP info>
+**NOTE:**  The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
+</WRAP>
+----
+=== Verify non-local DNS Resolver resolution. ===
+Force the DNS query to use Google's DNS server (8.8.8.8).
+This should be redirected back to the pfSense DNS resolver for lookup.
+<code bash>
+dig @8.8.8.8 pfsense.org
+; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		232	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Mar 27 14:26:51 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+----
+=== Verify DNS Resolver’s local name resolution ===
+Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
+<code bash>
+dig pfsense.local.lan
+; <<>> DiG 9.10.6 <<>> pfsense.local.lan
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.localdomain.		IN	A
+;; ANSWER SECTION:
+pfsense.localdomain.	3600	IN	A	192.168.1.1
+;; Query time: 2 msec
+;; SERVER: 192.168.99.1#53(192.168.99.1)
+;; WHEN: Fri Mar 27 14:35:35 PDT 2020
+;; MSG SIZE  rcvd: 62
+</code>
+----
+=== Verify DNS Resolver reverse resolution ===
+Verify you can resolve a hostname from an IP address.
+<code bash>
+dig +noall +answer -x 192.168.1.1
+.1.168.192.in-addr.arpa. 2988	IN	PTR	pfSense.localdomain.
+</code>
+----
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
+My DNS Resolver is defined as authoritative for my .localdomain domain.
+If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
+<code bash>
+dig nothere.localdomain
+; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
+;; QUESTION SECTION:
+;nothere.localdomain.     IN  A
+;; AUTHORITY SECTION:
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
+;; Query time: 4 msec
+;; SERVER: 192.168.99.1#53(192.168.99.1)
+;; WHEN: Sun Aug 27 10:22:30 2017
+;; MSG SIZE  rcvd: 84
+</code>
+----
+==== Verify IOT Isolation ====
+Connect to the **IOT** network and verify you can’t access the pfSense web configurator.
+Also verify you can’t access other systems and local devices you have connected to other subnets.
+----
+==== Verify GUEST Isolation ====
+Connect to the **GUEST** network and verify you can’t access the pfSense web configurator.
+Also verify you can’t access other systems and local devices you have connected to other subnets.
+----
+<WRAP info>
+**FINISHED:**
+</WRAP>