Welcome back to this series, in which we discuss and configure the various features of pfSense. In the first article, we installed pfSense on a virtual machine using VMware. In this article, we will familiarize ourselves with the pfSense webGUI and also look at the basic configuration that you will normally use on a small network, along with features such as DHCP, DNS, and even access to the Internet.

As we saw in the previous post, when you log in to the pfSense webGUI (after the first login), you will be presented with the dashboard, which shows various types of information, such as hostname, DNS servers, interfaces, and so on.

You may also want to spend time familiarizing yourself with the various menu items. For example, you will find DHCP and DNS settings under the “Services” menu item. The VPN menu item is self-explanatory, as is as the menu item for “Firewall.”

Let’s look at a basic network setup in which users on the LAN should use pfSense as a default gateway. pfSense will be responsible for assigning IP addresses to users via DHCP and those users will also use the pfSense system as their DNS server. Finally, LAN users should be able to access the Internet.

The GNS3 topology is shown below. Notice that I don’t need to add the Internet part to GNS3 since the pfSense VM is already connected on my Wi-Fi interface.

The first thing we will configure is DHCP, which we do under Services > DHCP
Server. By default, the DHCP server is enabled on the LAN interface. There are a host of options that can be configured under this service but, for this article, we will restrict ourselves to the Range option, which I will set to {from 172.16.215.200 to 172.16.215.220}.

When you save your configuration, if everything goes well, you will see a message like “The changes have been applied successfully.”

The next thing we will look at is the DNS server on pfSense. From pfSense version 2.2, the Unbound DNS Resolver is enabled by default instead of the former DNS Forwarder. Even though both services are still available, you can only enable one per time on the same port (since they use the same port).

With DNS Resolver enabled, pfSense will send its interface IP address as the DNS server to clients and, when pfSense receives a DNS query, it will either query root servers directly (if the Forwarding option is checked) or it will forward the query to the upstream DNS servers configured (or obtained via DHCP, etc.).

In our case, the pfSense system is using 192.168.8.1 (the Internet router) as its DNS server. This means that, with the default setting, when pfSense receives a DNS query, it will forward it to 192.168.8.1. We can leave the default settings of the DHCP server and move on from this page.

Let’s think about the traffic flow of a LAN client trying to access the Internet for a moment. The client will forward the traffic to its default gateway, which will be pfSense. pfSense will check its routing table for how to reach the destination network: so where is pfSense’s routing table? We can find this under System > Routing.

As you can see, there is a default route on pfSense, with the WAN interface pointing to the Internet router. This means that pfSense will forward the traffic from the LAN client to the Internet router. Cool.

However, there’s one more thing to consider. Private IP addresses such as the one being used on the LAN are not routable on the Internet. This is where NAT comes in. Fortunately for us, pfSense comes with a default NAT rule that allows the IP address of LAN users to be translated to its WAN IP address. We can view this default NAT rule by navigating to Firewall > NAT and then selecting the Outbound tab.

Let’s fire up the LAN user PC and see if we can get an IP address and also connect to the Internet. In my GNS3 topology, I will be using a VPCS as my LAN PC.

Hint: By default, the DHCP server on VMware network adapters is turned on; that is why your VMs usually get IP addresses assigned automatically. For this lab, you may want to turn off VMware’s DHCP server so that pfSense can handle DHCP requests.

As you can see in the output above, the PC gets assigned the first IP address in the DHCP pool we configured. Also, pfSense sends its LAN interface IP address as the DNS server and gateway (of course).

We can test that this PC can connect to the Internet by running a ping to google.com:

We can view a list of DHCP leases on pfSense by navigating to Status > DHCP Leases:

We can also view the state table (where we can catch a glimpse of the NAT translations) by navigating to Diagnostic > States:

The first line in the output above shows that the LAN PC has a DNS connection with pfSense (to get the address of google.com). The second message shows that the LAN user sends an ICMP packet to the resolved IP address of google.com and the third message shows the NAT translation: 172.16.215.200 is translated to 192.168.8.102 (the WAN IP address of pfSense) before the traffic is forwarded.

Before we end this article, I want to show you what happens when the DHCP server is enabled on pfSense, but you disable both DNS Forwarder and Unbound DNS Resolver. I added another LAN PC for this test:

As you can see, pfSense will send the IP address(es) of the upstream DNS servers directly to the clients instead of to its own LAN IP address. This means that clients will now send DNS queries directly to these upstream DNS servers. I decided to show this in this article because I once encountered an issue where the DNS Forwarder/Resolver on pfSense was not working for whatever reason.

Note: After I disabled the DNS Resolver, pfSense was still sending its LAN IP address until I rebooted the entire pfSense system.

Summary

Let’s stop here in this article, where we have configured pfSense for basic network access. We have considered features such as DHCP and DNS, and we also saw a bit of routing and NAT.

In the next article, we will consider VLANs and access rules. I hope you have found this article insightful.

References