Training: pfSense Services

By the end of this module, you will be able to:

• Identify the core network services built into pfSense Plus
• Understand the difference between DHCP Server and DHCP Relay
• Configure the DNS Resolver for local caching and recursion
• Explain the purpose of Dynamic DNS, NTP, SNMP, and UPnP
• Apply security best practices for exposed services

pfSense Plus includes a rich set of network services that can be enabled and configured as needed. These services help manage client connectivity, name resolution, time synchronization, monitoring, and more.

The available services include:

• DHCP Server — Assigns IP addresses and network information to clients
• DHCP Relay — Forwards DHCP requests to servers on another network
• DNS Forwarder (legacy) — Forwards DNS queries to external servers
• DNS Resolver — Caching DNS resolver with recursion support
• Dynamic DNS — Updates DNS records automatically when the WAN IP changes
• IGMP Proxy — Forwards IGMP multicast traffic between interfaces
• NTP Server — Provides Network Time Protocol services to local clients
• PPPoE Server — Terminates PPPoE client connections
• SNMP — Integrates with network monitoring systems
• UPnP / NAT-PMP — Allows internal clients to automatically open NAT ports
• Wake on LAN — Sends magic packets to wake up sleeping devices

The DHCP Server assigns IP addresses and other network information (subnet mask, gateway, DNS) to clients. It is enabled by default on the LAN interface.

Key points:

• Supports many extensible options (custom DHCP options)
• Static mappings can reserve specific IPs for known MAC addresses
• The underlying server is ISC dhcpd

DHCP Relay sends DHCP requests from clients on one network to DHCP server(s) on another network, then returns the DHCP reply to the requesting client.

• Simple concept but very useful in segmented networks
• Only one of DHCP Server or DHCP Relay can be enabled on an interface (not both)

The DNS Resolver (unbound) is the recommended DNS solution for pfSense Plus.

• It is a caching DNS resolver
• Requires DNS servers for recursion (queries root servers directly by default)
• Queries all configured DNS servers and takes the fastest response
• Should be configured for internal-only access to avoid reflected DDoS exploit risks
• Supports DNSSEC for verifiable and trustworthy DNS results
• Offers DNS rebinding protection

Key configuration options:

• Domain Overrides — Forward queries for specific domains to specific DNS servers
• Host Overrides — Resolve specific hostnames to custom IPs (useful for split DNS)
• DNS Query Forwarding — Optionally forward all queries to upstream DNS servers instead of querying roots directly

The DNS Forwarder (dnsmasq) is the legacy DNS option. The DNS Resolver is preferred for new deployments.

Dynamic DNS automatically updates DNS records when the WAN IP address changes. This is essential for:

• Hosting services on dynamic IP connections
• Remote access to networks with non-static public IPs

The Network Time Protocol (NTP) Server provides time synchronization services to local clients.

• Time synchronization is very important for logging, certificates, and authentication
• Supports serial GPS as a time source
• The host's own NTP server is configured under System > General Setup
• Status can be checked under Status > NTP
• It is easy to offer NTP services to clients — enable the service and allow the traffic

SNMP (Simple Network Management Protocol) integrates pfSense Plus with network monitoring platforms.

Best practices:

• Use a strong community string
• Configure to send traps and allow polling as needed
• Protect with firewall rules or bind to specific interfaces
• Do not expose SNMP to the WAN!

UPnP (Universal Plug and Play) and NAT-PMP (NAT Port Mapping Protocol) allow internal clients to automatically request port forwards from the firewall.

• Useful for gaming consoles, VoIP, and peer-to-peer applications
• Can be a security risk if not properly restricted
• Consider limiting to specific interfaces and restricting port ranges

Forwards IGMP multicast traffic between interfaces. Used for IPTV and other multicast applications.

Terminates PPPoE client connections. Used in ISP and WISP environments.

Sends magic packets to wake up sleeping devices on the local network.

Service	Best Practice
DNS Resolver	Bind to internal interfaces only; enable DNSSEC
SNMP	Use strong community strings; do not expose to WAN
NTP	Restrict to internal networks; use authenticated NTP where possible
UPnP	Limit to trusted interfaces; restrict port ranges
DHCP	Use static mappings for critical infrastructure

• Use the DNS Resolver as your primary DNS solution — it can point to internal DNS servers and offers caching, DNSSEC, and security protections
• Integrate pfSense Plus with network monitoring platforms via SNMP
• Protect SNMP, NTP, and DNS Resolver with firewall rules and interface bindings
• Offer NTP services to clients — it is easy to enable and critical for network operations
• Choose between DHCP Server and DHCP Relay based on your network topology
• Restrict or avoid exposing services to the WAN unless absolutely necessary

Continue to Lab 4: Services and Branch Network Setup for hands-on exercises configuring the DNS Resolver, DHCP Server, and bringing up a branch network.

---

Source: Netgate FUND001-LIVE-SLIDE-SEG4-SERVICES.pdf