Justinaquino: Created from Netgate pfSense training PDFs

2026-04-23T07:01:36Z

Created from Netgate pfSense training PDFs

New page

__NOTOC__

<div style="background-color: #e7f3fe; border-left: 6px solid #2196F3; padding: 15px; margin-bottom: 20px;">
Module: Section 4 — pfSense Plus Services 
Course: Netgate FUND001-LIVE — pfSense Plus Fundamentals and Practical Application 
Topics Covered: DHCP, DNS Resolver/Forwarder, Dynamic DNS, NTP, SNMP, UPnP / NAT-PMP, IGMP Proxy, PPPoE Server, Wake on LAN 
Objective: Understand the built-in services available on pfSense Plus and how to configure and secure them.
</div>

== Learning Objectives ==

By the end of this module, you will be able to:

* Identify the core network services built into pfSense Plus
* Understand the difference between DHCP Server and DHCP Relay
* Configure the DNS Resolver for local caching and recursion
* Explain the purpose of Dynamic DNS, NTP, SNMP, and UPnP
* Apply security best practices for exposed services

== Overview of pfSense Plus Services ==

pfSense Plus includes a rich set of network services that can be enabled and configured as needed. These services help manage client connectivity, name resolution, time synchronization, monitoring, and more.

The available services include:

* '''DHCP Server''' — Assigns IP addresses and network information to clients
* '''DHCP Relay''' — Forwards DHCP requests to servers on another network
* '''DNS Forwarder (legacy)''' — Forwards DNS queries to external servers
* '''DNS Resolver''' — Caching DNS resolver with recursion support
* '''Dynamic DNS''' — Updates DNS records automatically when the WAN IP changes
* '''IGMP Proxy''' — Forwards IGMP multicast traffic between interfaces
* '''NTP Server''' — Provides Network Time Protocol services to local clients
* '''PPPoE Server''' — Terminates PPPoE client connections
* '''SNMP''' — Integrates with network monitoring systems
* '''UPnP / NAT-PMP''' — Allows internal clients to automatically open NAT ports
* '''Wake on LAN''' — Sends magic packets to wake up sleeping devices

== DHCP Service ==

=== DHCP Server ===

The DHCP Server assigns IP addresses and other network information (subnet mask, gateway, DNS) to clients. It is '''enabled by default on the LAN interface'''.

Key points:

* Supports many extensible options (custom DHCP options)
* Static mappings can reserve specific IPs for known MAC addresses
* The underlying server is ISC dhcpd

=== DHCP Relay ===

DHCP Relay sends DHCP requests from clients on one network to DHCP server(s) on another network, then returns the DHCP reply to the requesting client.

* Simple concept but very useful in segmented networks
* Only one of DHCP Server or DHCP Relay can be enabled on an interface (not both)

== DNS Resolver ==

The DNS Resolver (unbound) is the '''recommended DNS solution''' for pfSense Plus.

* It is a '''caching DNS resolver'''
* Requires DNS servers for recursion (queries root servers directly by default)
* Queries all configured DNS servers and takes the fastest response
* Should be configured for '''internal-only access''' to avoid reflected DDoS exploit risks
* Supports DNSSEC for verifiable and trustworthy DNS results
* Offers DNS rebinding protection

Key configuration options:

* '''Domain Overrides''' — Forward queries for specific domains to specific DNS servers
* '''Host Overrides''' — Resolve specific hostnames to custom IPs (useful for split DNS)
* '''DNS Query Forwarding''' — Optionally forward all queries to upstream DNS servers instead of querying roots directly

== DNS Forwarder (Legacy) ==

The DNS Forwarder (dnsmasq) is the legacy DNS option. The DNS Resolver is preferred for new deployments.

== Dynamic DNS ==

Dynamic DNS automatically updates DNS records when the WAN IP address changes. This is essential for:

* Hosting services on dynamic IP connections
* Remote access to networks with non-static public IPs

== NTP Server ==

The Network Time Protocol (NTP) Server provides time synchronization services to local clients.

* Time synchronization is '''very important''' for logging, certificates, and authentication
* Supports serial GPS as a time source
* The host's own NTP server is configured under '''System > General Setup'''
* Status can be checked under '''Status > NTP'''
* It is easy to offer NTP services to clients — enable the service and allow the traffic

== SNMP ==

SNMP (Simple Network Management Protocol) integrates pfSense Plus with network monitoring platforms.

Best practices:

* Use a '''strong community string'''
* Configure to send traps and allow polling as needed
* '''Protect with firewall rules''' or bind to specific interfaces
* '''Do not expose SNMP to the WAN!'''

== UPnP / NAT-PMP ==

UPnP (Universal Plug and Play) and NAT-PMP (NAT Port Mapping Protocol) allow internal clients to automatically request port forwards from the firewall.

* Useful for gaming consoles, VoIP, and peer-to-peer applications
* Can be a security risk if not properly restricted
* Consider limiting to specific interfaces and restricting port ranges

== Other Services ==

=== IGMP Proxy ===

Forwards IGMP multicast traffic between interfaces. Used for IPTV and other multicast applications.

=== PPPoE Server ===

Terminates PPPoE client connections. Used in ISP and WISP environments.

=== Wake on LAN ===

Sends magic packets to wake up sleeping devices on the local network.

== Security Best Practices ==

{| class="wikitable"
! Service
! Best Practice
|-
| DNS Resolver
| Bind to internal interfaces only; enable DNSSEC
|-
| SNMP
| Use strong community strings; do not expose to WAN
|-
| NTP
| Restrict to internal networks; use authenticated NTP where possible
|-
| UPnP
| Limit to trusted interfaces; restrict port ranges
|-
| DHCP
| Use static mappings for critical infrastructure
|}

== Summary ==

* Use the '''DNS Resolver''' as your primary DNS solution — it can point to internal DNS servers and offers caching, DNSSEC, and security protections
* Integrate pfSense Plus with '''network monitoring platforms''' via SNMP
* '''Protect SNMP, NTP, and DNS Resolver''' with firewall rules and interface bindings
* '''Offer NTP services to clients''' — it is easy to enable and critical for network operations
* Choose between DHCP Server and DHCP Relay based on your network topology
* Restrict or avoid exposing services to the WAN unless absolutely necessary

== Next Module ==

Continue to '''[[Training_Lab_4:_Services_and_Branch_Network|Lab 4: Services and Branch Network Setup]]''' for hands-on exercises configuring the DNS Resolver, DHCP Server, and bringing up a branch network.

----

''Source: Netgate FUND001-LIVE-SLIDE-SEG4-SERVICES.pdf''

[[Category:Training]]
[[Category:pfSense]]
[[Category:Networking]]

Training: pfSense Services - Revision history

Justinaquino: Created from Netgate pfSense training PDFs