Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:reboot_and_verify [2020/12/02 00:28] – peter
+++ pfsense:install_pfsense:reboot_and_verify [2021/01/05 19:00] (current) – peter
@@ Line 5: / Line 5: @@
 The system should boot and allow you to log back into the dashboard where if everything is correct, the WAN interfaces will have IP addresses allocated to them.
-Also connect up a managed switch to allow the various subnets to work correctly.
+Also connect up a managed switch to allow the various subnets (VLANs) to work correctly.
 <WRAP info>
@@ Line 35: / Line 35: @@
 ----
-===== Verify DNS. =====
+===== Verify DNS =====
 We have three methods of DNS resolution to verify:
@@ Line 42: / Line 42: @@
   * CLEAR: Uses public DNS resolvers.
   * IOT: Uses Resolver for local and non-local lookups.  External DNS servers requests are redirected back to pfSense.
-  * GUEST: Uses public DNS resolvers.  No local lookups should be possible.
+  * GUEST: Uses Resolver or public DNS resolvers.
+----
 ==== LAN ====
@@ Line 102: / Line 104: @@
 ;; MSG SIZE  rcvd: 56
 </code>
+<WRAP info>
+**NOTE:**  The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
+</WRAP>
 ----
@@ Line 110: / Line 117: @@
 <code bash>
-dig pfsense.local.lan
+nslookup pfsense.localdomain
+</code>
-; <<>> DiG 9.10.6 <<>> pfsense.local.lan
+returns:
+<code bash>
+Server:		127.0.0.53
+Address:	127.0.0.53#53
+Non-authoritative answer:
+Name:	pfsense.localdomain
+Address: 192.168.1.1
+</code>
+Resolve the pfSense hostname:
+<code bash>
+dig pfsense.localdomain
+; <<>> DiG 9.16.1-Ubuntu <<>> pfsense.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10381
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 65494
+;; QUESTION SECTION:
+;pfsense.localdomain.		IN	A
+;; ANSWER SECTION:
+pfsense.localdomain.	3600	IN	A	192.168.1.1
+;; Query time: 0 msec
+;; SERVER: 127.0.0.53#53(127.0.0.53)
+;; WHEN: Tue Jan 05 18:45:48 GMT 2021
+;; MSG SIZE  rcvd: 64
+</code>
+----
+=== Verify DNS Resolver reverse resolution ===
+Verify you can resolve a hostname from an IP address.
+<code bash>
+dig +noall +answer -x 192.168.1.1
+.1.168.192.in-addr.arpa. 3600	IN	PTR	pfSense.localdomain.
+</code>
+----
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
+My DNS Resolver is defined as authoritative for my .localdomain domain.
+If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
+<code bash>
+dig nothere.localdomain
+; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
+;; QUESTION SECTION:
+;nothere.localdomain.    IN  A
+;; AUTHORITY SECTION:
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
+;; Query time: 4 msec
+;; SERVER: 192.168.1.1#53(192.168.1.1)
+;; WHEN: Sun Aug 27 10:22:30 2017
+;; MSG SIZE  rcvd: 84
+</code>
+----
+==== CLEAR ====
+=== Verify DNS Resolver resolution ===
+<code bash>
+dig pfsense.org
+; <<>> DiG 9.10.6 <<>> pfsense.org
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		87	IN	A	208.123.73.69
+;; Query time: 17 msec
+;; SERVER: 1.1.1.1#53(1.1.1.1)
+;; WHEN: Fri Mar 27 15:01:40 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+<WRAP info>
+**NOTE:**  The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
+</WRAP>
+----
+=== Verify non-local DNS Resolver resolution. ===
+Force the DNS query to use Google's DNS server (8.8.8.8).
+This should be redirected back to the pfSense DNS resolver for lookup.
+<code bash>
+dig @8.8.8.8 pfsense.org
+; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		232	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Mar 27 14:26:51 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+----
+=== Verify DNS Resolver’s local name resolution ===
+Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
+<code bash>
+dig pfsense.localdomain
+; <<>> DiG 9.10.6 <<>> pfsense.localdomain
 ;; global options: +cmd
 ;; Got answer:
@@ Line 121: / Line 280: @@
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
-;pfsense.local.lan.		IN	A
+;pfsense.localdomain.		IN	A
 ;; ANSWER SECTION:
-pfsense.local.lan.	3600	IN	A	192.168.1.1
+pfsense.localdomain.	3600	IN	A	192.168.1.1
 ;; Query time: 2 msec
-;; SERVER: 192.168.1.1#53(192.168.1.1)
+;; SERVER: 192.168.50.1#53(192.168.50.1)
 ;; WHEN: Fri Mar 27 14:35:35 PDT 2020
 ;; MSG SIZE  rcvd: 62
@@ Line 140: / Line 299: @@
 <code bash>
 dig +noall +answer -x 192.168.1.1
-.2.168.192.in-addr.arpa. 3600	IN	PTR	pfSense.local.lan.
+.1.168.192.in-addr.arpa. 3240	IN	PTR	pfSense.localdomain.
 </code>
 ----
-=== Verify DNS Resolver ‘.local.lan’ domain resolution ===
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
-My DNS Resolver is defined as authoritative for my local.lan domain.
+My DNS Resolver is defined as authoritative for my .localdomain domain.
 If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
 <code bash>
-dig nothere.local.lan
+dig nothere.localdomain
 ; <<>> DiG 9.8.3-P1 <<>> nothere.local.lan
@@ Line 161: / Line 320: @@
 ;; QUESTION SECTION:
-;nothere.local.lan.     IN  A
+;nothere.localdomain.     IN  A
 ;; AUTHORITY SECTION:
-local.lan.      10800   IN  SOA pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
 ;; Query time: 4 msec
@@ Line 173: / Line 332: @@
 ----
+==== IOT ====
+=== Verify DNS Resolver resolution ===
+<code bash>
+dig pfsense.org
+; <<>> DiG 9.10.6 <<>> pfsense.org
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20952
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		261	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 192.168.70.1#53(192.168.70.1)
+;; WHEN: Fri Mar 27 14:26:22 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+----
+=== Verify non-local DNS Resolver resolution. ===
+Force the DNS query to use Google's DNS server (8.8.8.8).
+This should be redirected back to the pfSense DNS resolver for lookup.
+<code bash>
+dig @8.8.8.8 pfsense.org
+; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		232	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Mar 27 14:26:51 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+<WRAP info>
+**NOTE:**  The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
+</WRAP>
+----
+=== Verify DNS Resolver’s local name resolution ===
+Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
+<code bash>
+dig pfsense.localdomain
+; <<>> DiG 9.10.6 <<>> pfsense.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.localdomain.		IN	A
+;; ANSWER SECTION:
+pfsense.localdomain.	3600	IN	A	192.168.1.1
+;; Query time: 2 msec
+;; SERVER: 192.168.70.1#53(192.168.70.1)
+;; WHEN: Fri Mar 27 14:35:35 PDT 2020
+;; MSG SIZE  rcvd: 62
+</code>
+----
+=== Verify DNS Resolver reverse resolution ===
+Verify you can resolve a hostname from an IP address.
+<code bash>
+dig +noall +answer -x 192.168.1.1
+.1.168.192.in-addr.arpa. 3098	IN	PTR	pfSense.localdomain.
+</code>
+----
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
+My DNS Resolver is defined as authoritative for my local.lan domain.
+If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
+<code bash>
+dig nothere.localdomain
+; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
+;; QUESTION SECTION:
+;nothere.localdomain.     IN  A
+;; AUTHORITY SECTION:
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
+;; Query time: 4 msec
+;; SERVER: 192.168.70.1#53(192.168.70.1)
+;; WHEN: Sun Aug 27 10:22:30 2017
+;; MSG SIZE  rcvd: 84
+</code>
+----
+==== GUEST ====
+=== Verify DNS Resolver resolution ===
+<code bash>
+dig pfsense.org
+; <<>> DiG 9.10.6 <<>> pfsense.org
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		87	IN	A	208.123.73.69
+;; Query time: 17 msec
+;; SERVER: 1.1.1.1#53(1.1.1.1)
+;; WHEN: Fri Mar 27 15:01:40 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+<WRAP info>
+**NOTE:**  The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
+</WRAP>
+----
+=== Verify non-local DNS Resolver resolution. ===
+Force the DNS query to use Google's DNS server (8.8.8.8).
+This should be redirected back to the pfSense DNS resolver for lookup.
+<code bash>
+dig @8.8.8.8 pfsense.org
+; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.org.			IN	A
+;; ANSWER SECTION:
+pfsense.org.		232	IN	A	208.123.73.69
+;; Query time: 2 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Fri Mar 27 14:26:51 PDT 2020
+;; MSG SIZE  rcvd: 56
+</code>
+----
+=== Verify DNS Resolver’s local name resolution ===
+Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
+<code bash>
+dig pfsense.local.lan
+; <<>> DiG 9.10.6 <<>> pfsense.local.lan
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;pfsense.localdomain.		IN	A
+;; ANSWER SECTION:
+pfsense.localdomain.	3600	IN	A	192.168.1.1
+;; Query time: 2 msec
+;; SERVER: 192.168.99.1#53(192.168.99.1)
+;; WHEN: Fri Mar 27 14:35:35 PDT 2020
+;; MSG SIZE  rcvd: 62
+</code>
+----
+=== Verify DNS Resolver reverse resolution ===
+Verify you can resolve a hostname from an IP address.
+<code bash>
+dig +noall +answer -x 192.168.1.1
+.1.168.192.in-addr.arpa. 2988	IN	PTR	pfSense.localdomain.
+</code>
+----
+=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
+My DNS Resolver is defined as authoritative for my .localdomain domain.
+If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
+<code bash>
+dig nothere.localdomain
+; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
+;; QUESTION SECTION:
+;nothere.localdomain.     IN  A
+;; AUTHORITY SECTION:
+localdomain.      10800   IN  SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
+;; Query time: 4 msec
+;; SERVER: 192.168.99.1#53(192.168.99.1)
+;; WHEN: Sun Aug 27 10:22:30 2017
+;; MSG SIZE  rcvd: 84
+</code>
+----
+==== Verify IOT Isolation ====
+Connect to the **IOT** network and verify you can’t access the pfSense web configurator.
+Also verify you can’t access other systems and local devices you have connected to other subnets.
+----
+==== Verify GUEST Isolation ====
+Connect to the **GUEST** network and verify you can’t access the pfSense web configurator.
+Also verify you can’t access other systems and local devices you have connected to other subnets.
+----
+<WRAP info>
+**FINISHED:**
+</WRAP>