====== PFSense - Install pfSense - Reboot and Verify ======
Restart the pfSense device and connect your modem to your WAN port if you haven’t already.
The system should boot and allow you to log back into the dashboard where if everything is correct, the WAN interfaces will have IP addresses allocated to them.
Also connect up a managed switch to allow the various subnets (VLANs) to work correctly.
**NOTE:** Check that everything is okay.
Navigate to **Status -> System Logs** if needed.
----
===== Verify DHCP =====
Connect to each subnet in turn and verify a client receives an appropriate address from the associated DHCP pool.
Heres the connection when connected to the CLEAR network where a 192.168.50.100 address has been awarded.
ifconfig en0
en0: flags=8963 mtu 1500
ether xx:xx:xx:xx:xx:xx
inet6 fe80::bae8:56ff:fe30:905e%en0 prefixlen 64 scopeid 0x4
inet 192.168.50.100 netmask 0xffffff00 broadcast 192.168.50.255
nd6 options=1
media: autoselect
status: active
----
===== Verify DNS =====
We have three methods of DNS resolution to verify:
* LAN: Uses Resolver for local and non-local lookups. External DNS servers requests are redirected back to pfSense.
* CLEAR: Uses public DNS resolvers.
* IOT: Uses Resolver for local and non-local lookups. External DNS servers requests are redirected back to pfSense.
* GUEST: Uses Resolver or public DNS resolvers.
----
==== LAN ====
=== Verify DNS Resolver resolution ===
dig pfsense.org
; <<>> DiG 9.10.6 <<>> pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20952
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 261 IN A 208.123.73.69
;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Mar 27 14:26:22 PDT 2020
;; MSG SIZE rcvd: 56
----
=== Verify non-local DNS Resolver resolution. ===
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org
; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 232 IN A 208.123.73.69
;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 27 14:26:51 PDT 2020
;; MSG SIZE rcvd: 56
**NOTE:** The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
----
=== Verify DNS Resolver’s local name resolution ===
Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
nslookup pfsense.localdomain
returns:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: pfsense.localdomain
Address: 192.168.1.1
Resolve the pfSense hostname:
dig pfsense.localdomain
; <<>> DiG 9.16.1-Ubuntu <<>> pfsense.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10381
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pfsense.localdomain. IN A
;; ANSWER SECTION:
pfsense.localdomain. 3600 IN A 192.168.1.1
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Jan 05 18:45:48 GMT 2021
;; MSG SIZE rcvd: 64
----
=== Verify DNS Resolver reverse resolution ===
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1
1.1.168.192.in-addr.arpa. 3600 IN PTR pfSense.localdomain.
----
=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
My DNS Resolver is defined as authoritative for my .localdomain domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain
; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nothere.localdomain. IN A
;; AUTHORITY SECTION:
localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Aug 27 10:22:30 2017
;; MSG SIZE rcvd: 84
----
==== CLEAR ====
=== Verify DNS Resolver resolution ===
dig pfsense.org
; <<>> DiG 9.10.6 <<>> pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 87 IN A 208.123.73.69
;; Query time: 17 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 27 15:01:40 PDT 2020
;; MSG SIZE rcvd: 56
**NOTE:** The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
----
=== Verify non-local DNS Resolver resolution. ===
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org
; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 232 IN A 208.123.73.69
;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 27 14:26:51 PDT 2020
;; MSG SIZE rcvd: 56
----
=== Verify DNS Resolver’s local name resolution ===
Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
dig pfsense.localdomain
; <<>> DiG 9.10.6 <<>> pfsense.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.localdomain. IN A
;; ANSWER SECTION:
pfsense.localdomain. 3600 IN A 192.168.1.1
;; Query time: 2 msec
;; SERVER: 192.168.50.1#53(192.168.50.1)
;; WHEN: Fri Mar 27 14:35:35 PDT 2020
;; MSG SIZE rcvd: 62
----
=== Verify DNS Resolver reverse resolution ===
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1
1.1.168.192.in-addr.arpa. 3240 IN PTR pfSense.localdomain.
----
=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
My DNS Resolver is defined as authoritative for my .localdomain domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain
; <<>> DiG 9.8.3-P1 <<>> nothere.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nothere.localdomain. IN A
;; AUTHORITY SECTION:
localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Aug 27 10:22:30 2017
;; MSG SIZE rcvd: 84
----
==== IOT ====
=== Verify DNS Resolver resolution ===
dig pfsense.org
; <<>> DiG 9.10.6 <<>> pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20952
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 261 IN A 208.123.73.69
;; Query time: 2 msec
;; SERVER: 192.168.70.1#53(192.168.70.1)
;; WHEN: Fri Mar 27 14:26:22 PDT 2020
;; MSG SIZE rcvd: 56
----
=== Verify non-local DNS Resolver resolution. ===
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org
; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 232 IN A 208.123.73.69
;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 27 14:26:51 PDT 2020
;; MSG SIZE rcvd: 56
**NOTE:** The low query response time of 2 msec suggests that was processed internally; i.e. that the redirect has worked.
----
=== Verify DNS Resolver’s local name resolution ===
Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
dig pfsense.localdomain
; <<>> DiG 9.10.6 <<>> pfsense.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.localdomain. IN A
;; ANSWER SECTION:
pfsense.localdomain. 3600 IN A 192.168.1.1
;; Query time: 2 msec
;; SERVER: 192.168.70.1#53(192.168.70.1)
;; WHEN: Fri Mar 27 14:35:35 PDT 2020
;; MSG SIZE rcvd: 62
----
=== Verify DNS Resolver reverse resolution ===
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1
1.1.168.192.in-addr.arpa. 3098 IN PTR pfSense.localdomain.
----
=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
My DNS Resolver is defined as authoritative for my local.lan domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain
; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nothere.localdomain. IN A
;; AUTHORITY SECTION:
localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
;; Query time: 4 msec
;; SERVER: 192.168.70.1#53(192.168.70.1)
;; WHEN: Sun Aug 27 10:22:30 2017
;; MSG SIZE rcvd: 84
----
==== GUEST ====
=== Verify DNS Resolver resolution ===
dig pfsense.org
; <<>> DiG 9.10.6 <<>> pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5451
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 87 IN A 208.123.73.69
;; Query time: 17 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 27 15:01:40 PDT 2020
;; MSG SIZE rcvd: 56
**NOTE:** The Query time of 17 msec provides a quick and basic indication this was not processed internally; i.e. it was processed by an external DNS.
----
=== Verify non-local DNS Resolver resolution. ===
Force the DNS query to use Google's DNS server (8.8.8.8).
This should be redirected back to the pfSense DNS resolver for lookup.
dig @8.8.8.8 pfsense.org
; <<>> DiG 9.10.6 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.org. IN A
;; ANSWER SECTION:
pfsense.org. 232 IN A 208.123.73.69
;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 27 14:26:51 PDT 2020
;; MSG SIZE rcvd: 56
----
=== Verify DNS Resolver’s local name resolution ===
Use **nslookup** to lookup the pfSense gateway by its hostname and verify the address is returned correctly.
dig pfsense.local.lan
; <<>> DiG 9.10.6 <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44388
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.localdomain. IN A
;; ANSWER SECTION:
pfsense.localdomain. 3600 IN A 192.168.1.1
;; Query time: 2 msec
;; SERVER: 192.168.99.1#53(192.168.99.1)
;; WHEN: Fri Mar 27 14:35:35 PDT 2020
;; MSG SIZE rcvd: 62
----
=== Verify DNS Resolver reverse resolution ===
Verify you can resolve a hostname from an IP address.
dig +noall +answer -x 192.168.1.1
1.1.168.192.in-addr.arpa. 2988 IN PTR pfSense.localdomain.
----
=== Verify DNS Resolver ‘.localdomain’ domain resolution ===
My DNS Resolver is defined as authoritative for my .localdomain domain.
If I try and lookup an address which is not part of my network, it will return status: NXDOMAIN rather than forward the lookup to external DNS resolvers.
dig nothere.localdomain
; <<>> DiG 9.8.3-P1 <<>> nothere.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nothere.localdomain. IN A
;; AUTHORITY SECTION:
localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800
;; Query time: 4 msec
;; SERVER: 192.168.99.1#53(192.168.99.1)
;; WHEN: Sun Aug 27 10:22:30 2017
;; MSG SIZE rcvd: 84
----
==== Verify IOT Isolation ====
Connect to the **IOT** network and verify you can’t access the pfSense web configurator.
Also verify you can’t access other systems and local devices you have connected to other subnets.
----
==== Verify GUEST Isolation ====
Connect to the **GUEST** network and verify you can’t access the pfSense web configurator.
Also verify you can’t access other systems and local devices you have connected to other subnets.
----
**FINISHED:**