Justinaquino: Created from Netgate pfSense training PDFs

2026-04-23T07:01:36Z

Created from Netgate pfSense training PDFs

New page

__NOTOC__

<div style="background-color: #fff3cd; border-left: 6px solid #ffc107; padding: 15px; margin-bottom: 20px;">
<strong>Lab:</strong> Lab 4 — Services and Branch Network Setup<br>
<strong>Course:</strong> Netgate FUND001-LIVE — pfSense Plus Fundamentals and Practical Application<br>
<strong>Objective:</strong> Configure common pfSense Plus services (DNS Resolver, DHCP Server) and bring up a branch network for use in the next lab.
</div>

== Lab Overview ==

In this lab, we will go through a couple of the common services used on pfSense Plus, then bring up the branch network to be used in the next lab.

The exercises cover:

* Configuring the '''DNS Resolver''' (domain overrides, host overrides)
* Configuring the '''DHCP Server''' (changing scope, adding static mappings)
* '''Branch network setup''' and remote management

== Prerequisites ==

* Access to fw1-HQ (172.17.1.1)
* Access to HQ-client (DHCP client on HQ-LAN)
* Access to branch firewall (172.18.1.1)
* Default admin/pfsense credentials

== Exercise 1: DNS Resolver Configuration ==

The DNS Resolver provides a local caching DNS resolver on the firewall. On smaller networks with no local DNS servers, using the local DNS Resolver as your clients' DNS server — rather than directly assigning DNS servers on the Internet — is preferable.

It provides:

* A local DNS cache
* Ability to query multiple DNS servers simultaneously, returning the fastest response
* Security protections such as DNS rebinding protection and DNSSEC

=== 1.1 DNS Server Configuration ===

By default, the DNS Resolver queries root DNS servers directly and does not use DNS servers configured under '''System > General Setup''' or those obtained automatically from a dynamic WAN.

'''Step 1:''' Browse to '''System > General Setup''' on fw1-HQ.

'''Step 2:''' Review the DNS server configuration. Currently, fw1-HQ is statically configured to use the DNS Resolver on lab-internet-router.

'''Step 3:''' The '''"Allow DNS server list to be overridden by DHCP/PPP on WAN"''' checkbox is checked by default. Since these systems do not have dynamic WANs, this option has no effect. '''Uncheck''' this option.

'''Step 4:''' Leave the remaining settings as they are and click '''Save'''.

=== 1.2 Domain Overrides ===

Domain overrides allow you to configure specific DNS servers to use for particular domains.

In this exercise, we will forward '''example.lan''' to '''172.17.2.10'''. This is functionally equivalent to what you would do in a Small Business Server (SBS) scenario for Active Directory.

'''Step 1:''' On HQ-client, open a terminal and test resolution '''before''' adding the domain override:

<pre>
training@HQ-client:~$ host server1.example.lan
Host server1.example.lan not found: 3(NXDOMAIN)
training@HQ-client:~$ host server2.example.lan
Host server2.example.lan not found: 3(NXDOMAIN)
training@HQ-client:~$ host hq-client.example.lan
Host hq-client.example.lan not found: 3(NXDOMAIN)
</pre>

NXDOMAIN means "no such name exists." To resolve example.lan, we must tell the DNS Resolver where to send those queries.

'''Step 2:''' On fw1-HQ, browse to '''Services > DNS Resolver'''.

'''Step 3:''' Scroll down to '''Domain Overrides''' and click '''+Add'''.

'''Step 4:''' Configure the domain override:

{| class="wikitable"
! Field
! Value
|-
| Domain
| example.lan
|-
| IP Address
| 172.17.2.10
|}

'''Step 5:''' Click '''Save'''.

=== 1.3 Testing Domain Override ===

'''Step 1:''' On HQ-client, open a terminal and test resolution again:

<pre>
training@hq-client:~$ host server1.example.lan
server1.example.lan has address 172.17.2.10
training@hq-client:~$ host server2.example.lan
server2.example.lan has address 172.17.2.20
training@hq-client:~$ host hq-client.example.lan
hq-client.example.lan has address 172.17.1.100
</pre>

These queries go to the DNS Resolver on fw1-HQ, which uses the domain override to send example.lan queries to server1. Server1 replies to the DNS Resolver, which replies back to HQ-client.

=== 1.4 Host Overrides ===

Host overrides allow you to configure how a specific hostname is resolved by the DNS Resolver. A common use is '''split DNS''': resolving public DNS hostnames to private IPs internally to eliminate the need for NAT reflection.

In this lab:

* www.example.com is hosted in the HQ DMZ on server1
* www.example.com publicly resolves to 192.0.2.4
* Without NAT reflection, HQ internal hosts cannot reach 192.0.2.4
* We will add a host override to resolve www.example.com to the internal IP 172.17.2.10

'''Step 1:''' On fw1-HQ, browse to '''Services > DNS Resolver''', scroll down to '''Host Overrides''', and click '''+Add'''.

'''Step 2:''' Configure the host override:

{| class="wikitable"
! Field
! Value
|-
| Host
| (leave blank)
|-
| Domain
| example.com
|-
| IP address
| 172.17.2.10
|-
| Alias Host
| www
|-
| Alias Domain
| example.com
|}

'''Step 3:''' Click '''Save''' and '''Apply Changes'''.

=== 1.5 Testing Host Override ===

'''Step 1:''' On HQ-client, test resolution:

<pre>
training@HQ-client:~$ host www.example.com
www.example.com has address 172.17.2.10
training@HQ-client:~$ host example.com
example.com has address 172.17.2.10
</pre>

'''Step 2:''' Open '''www.example.com''' in your web browser on HQ-client. The page should load, showing it is from server1 and displaying your source IP.

== Exercise 2: DHCP Server Configuration ==

The DHCP Server comes enabled by default on LAN, assigning IP information, a default gateway, and DNS server to LAN clients.

HQ-client is a DHCP client currently obtaining an IP from the general pool. Because it is the first and only device on HQ-LAN, it gets the first IP: '''172.17.1.100'''. We want to ensure HQ-client is always assigned the .100 IP and that it cannot be assigned to any other host.

=== 2.1 Checking DHCP Status ===

'''Step 1:''' On fw1-HQ, browse to '''Status > DHCP Leases'''.

'''Step 2:''' Locate the lease for HQ-client.

=== 2.2 Changing DHCP Scope ===

The underlying DHCP server (ISC dhcpd) requires statically mapped IPs to be '''outside of the DHCP scope'''. Since .100 is part of the currently active range, we must change the range to exclude it.

Note: Doing so will not immediately impact HQ-client. It will retain its existing .100 IP until its next renewal.

'''Step 1:''' Browse to '''Services > DHCP Server''' and click the '''LAN''' tab.

'''Step 2:''' Change the '''Start of the range''' to '''172.17.1.101'''.

'''Step 3:''' Click '''Save'''.

Now .100 will be available for a DHCP reservation.

=== 2.3 Adding DHCP Static Mapping for HQ-client ===

First, we need to renew the DHCP lease on HQ-client so it re-populates in the DHCP leases screen (its lease for .100 was deleted after changing the scope).

'''Step 1:''' On HQ-client, click the network icon in the top right corner and click '''"Ifupdown (eth0)"''' to renew the lease.

Note: Your VNC session will be dropped. Wait a few seconds.

'''Step 2:''' On fw1-HQ, refresh '''Status > DHCP Leases'''. After 20-30 seconds, you should see HQ-client obtained a lease for '''172.17.1.101'''. Reconnect to VNC using the .101 IP.

'''Step 3:''' Browse to '''Status > DHCP Leases'''.

'''Step 4:''' Click the '''+''' to the right of the HQ-client lease to add a DHCP static mapping.

'''Step 5:''' At the "Edit static mapping" screen, fill in:

{| class="wikitable"
! Field
! Value
|-
| IP address
| 172.17.1.100
|}

'''Step 6:''' Click '''Save''' and '''Apply Changes'''.

=== 2.4 Renewing DHCP Lease on HQ-client ===

'''Step 1:''' Force HQ-client to renew its DHCP lease again (click network icon → "Ifupdown (eth0)").

Note: This will drop your VNC session again. Wait a few seconds for it to pick up the lease for the static mapping, then reconnect using '''172.17.1.100'''.

'''Step 2:''' Browse to '''Status > DHCP Leases''' on fw1-HQ and verify HQ-client's static mapping status.

== Exercise 3: Branch Network Setup ==

Here we will bring the branch network online to be ready for use in the next lab.

=== 3.1 Initial Branch Firewall Access ===

'''Step 1:''' Browse to '''https://172.18.1.1''' from your system.

'''Step 2:''' Add an exception for the self-signed certificate.

'''Step 3:''' Log in with the default credentials '''admin / pfsense'''.

Note: This will not trigger the setup wizard, as this VM comes pre-configured past that point.

=== 3.2 Setting Up Remote Management ===

We will have a VPN connected into this location in the next lab. However, it is usually best to have a means into remote offices' firewalls without requiring a VPN, limited to specific trusted source IPs.

==== Add RemoteAdmin Alias ====

'''Step 1:''' Browse to '''Firewall > Aliases''' and click '''+Add'''.

'''Step 2:''' Create the alias with the following parameters:

{| class="wikitable"
! Parameter
! Value
|-
| Name
| RemoteAdmin
|-
| Type
| Networks
|-
| Members
| 192.0.2.0/24 (HQ WAN)<br>198.51.100.0/24 (HQ WAN2)
|}

'''Step 3:''' Click '''Save''' and '''Apply Changes'''.

==== Add Firewall Rule ====

'''Step 1:''' Browse to '''Firewall > Rules''', click the '''WAN''' tab, and click '''Add'''.

'''Step 2:''' Configure the rule:

{| class="wikitable"
! Parameter
! Value
|-
| Action
| Pass
|-
| Interface
| WAN
|-
| Protocol
| any
|-
| Source
| Single host or alias → RemoteAdmin
|-
| Destination
| WAN address
|-
| Description
| allow remote administration from trusted IPs
|}

'''Step 3:''' Click '''Save''' and '''Apply Changes'''.

=== 3.3 Test Remote Administration ===

'''Step 1:''' On HQ-client, browse to '''https://203.0.113.10'''.

'''Step 2:''' It should load, allowing you to log in and manage the branch system from HQ.

You have now reached the end of this lab.

== Lab Summary ==

{| class="wikitable"
! Exercise
! What We Did
! Key Takeaway
|-
| DNS Resolver
| Configured domain overrides and host overrides
| Use overrides for internal domains and split DNS
|-
| DHCP Server
| Changed scope and added static mapping
| Static IPs must be outside the DHCP pool
|-
| Branch Setup
| Brought branch firewall online, added remote admin access
| Restrict remote admin to trusted source IPs
|}

== Next Module ==

Continue to the next lab for VPN configuration and connecting the branch network.

----

''Source: Netgate FUND001-LIVE-Lab4-Services.pdf''

[[Category:Training]]
[[Category:pfSense]]
[[Category:Networking]]
[[Category:Lab]]

Training Lab 4: Services and Branch Network - Revision history

Justinaquino: Created from Netgate pfSense training PDFs