Training Lab 4: Services and Branch Network

In this lab, we will go through a couple of the common services used on pfSense Plus, then bring up the branch network to be used in the next lab.

The exercises cover:

• Configuring the DNS Resolver (domain overrides, host overrides)
• Configuring the DHCP Server (changing scope, adding static mappings)
• Branch network setup and remote management

• Access to fw1-HQ (172.17.1.1)
• Access to HQ-client (DHCP client on HQ-LAN)
• Access to branch firewall (172.18.1.1)
• Default admin/pfsense credentials

The DNS Resolver provides a local caching DNS resolver on the firewall. On smaller networks with no local DNS servers, using the local DNS Resolver as your clients' DNS server — rather than directly assigning DNS servers on the Internet — is preferable.

It provides:

• A local DNS cache
• Ability to query multiple DNS servers simultaneously, returning the fastest response
• Security protections such as DNS rebinding protection and DNSSEC

By default, the DNS Resolver queries root DNS servers directly and does not use DNS servers configured under System > General Setup or those obtained automatically from a dynamic WAN.

Step 1: Browse to System > General Setup on fw1-HQ.

Step 2: Review the DNS server configuration. Currently, fw1-HQ is statically configured to use the DNS Resolver on lab-internet-router.

Step 3: The "Allow DNS server list to be overridden by DHCP/PPP on WAN" checkbox is checked by default. Since these systems do not have dynamic WANs, this option has no effect. Uncheck this option.

Step 4: Leave the remaining settings as they are and click Save.

Domain overrides allow you to configure specific DNS servers to use for particular domains.

In this exercise, we will forward example.lan to 172.17.2.10. This is functionally equivalent to what you would do in a Small Business Server (SBS) scenario for Active Directory.

Step 1: On HQ-client, open a terminal and test resolution before adding the domain override:

training@HQ-client:~$ host server1.example.lan
Host server1.example.lan not found: 3(NXDOMAIN)
training@HQ-client:~$ host server2.example.lan
Host server2.example.lan not found: 3(NXDOMAIN)
training@HQ-client:~$ host hq-client.example.lan
Host hq-client.example.lan not found: 3(NXDOMAIN)

NXDOMAIN means "no such name exists." To resolve example.lan, we must tell the DNS Resolver where to send those queries.

Step 2: On fw1-HQ, browse to Services > DNS Resolver.

Step 3: Scroll down to Domain Overrides and click +Add.

Step 4: Configure the domain override:

Step 5: Click Save.

Step 1: On HQ-client, open a terminal and test resolution again:

training@hq-client:~$ host server1.example.lan
server1.example.lan has address 172.17.2.10
training@hq-client:~$ host server2.example.lan
server2.example.lan has address 172.17.2.20
training@hq-client:~$ host hq-client.example.lan
hq-client.example.lan has address 172.17.1.100

These queries go to the DNS Resolver on fw1-HQ, which uses the domain override to send example.lan queries to server1. Server1 replies to the DNS Resolver, which replies back to HQ-client.

Host overrides allow you to configure how a specific hostname is resolved by the DNS Resolver. A common use is split DNS: resolving public DNS hostnames to private IPs internally to eliminate the need for NAT reflection.

In this lab:

• www.example.com is hosted in the HQ DMZ on server1
• www.example.com publicly resolves to 192.0.2.4
• Without NAT reflection, HQ internal hosts cannot reach 192.0.2.4
• We will add a host override to resolve www.example.com to the internal IP 172.17.2.10

Step 1: On fw1-HQ, browse to Services > DNS Resolver, scroll down to Host Overrides, and click +Add.

Step 2: Configure the host override:

Step 3: Click Save and Apply Changes.

Step 1: On HQ-client, test resolution:

training@HQ-client:~$ host www.example.com
www.example.com has address 172.17.2.10
training@HQ-client:~$ host example.com
example.com has address 172.17.2.10

Step 2: Open www.example.com in your web browser on HQ-client. The page should load, showing it is from server1 and displaying your source IP.

The DHCP Server comes enabled by default on LAN, assigning IP information, a default gateway, and DNS server to LAN clients.

HQ-client is a DHCP client currently obtaining an IP from the general pool. Because it is the first and only device on HQ-LAN, it gets the first IP: 172.17.1.100. We want to ensure HQ-client is always assigned the .100 IP and that it cannot be assigned to any other host.

Step 1: On fw1-HQ, browse to Status > DHCP Leases.

Step 2: Locate the lease for HQ-client.

The underlying DHCP server (ISC dhcpd) requires statically mapped IPs to be outside of the DHCP scope. Since .100 is part of the currently active range, we must change the range to exclude it.

Note: Doing so will not immediately impact HQ-client. It will retain its existing .100 IP until its next renewal.

Step 1: Browse to Services > DHCP Server and click the LAN tab.

Step 2: Change the Start of the range to 172.17.1.101.

Step 3: Click Save.

Now .100 will be available for a DHCP reservation.

First, we need to renew the DHCP lease on HQ-client so it re-populates in the DHCP leases screen (its lease for .100 was deleted after changing the scope).

Step 1: On HQ-client, click the network icon in the top right corner and click "Ifupdown (eth0)" to renew the lease.

Note: Your VNC session will be dropped. Wait a few seconds.

Step 2: On fw1-HQ, refresh Status > DHCP Leases. After 20-30 seconds, you should see HQ-client obtained a lease for 172.17.1.101. Reconnect to VNC using the .101 IP.

Step 3: Browse to Status > DHCP Leases.

Step 4: Click the + to the right of the HQ-client lease to add a DHCP static mapping.

Step 5: At the "Edit static mapping" screen, fill in:

Step 6: Click Save and Apply Changes.

Step 1: Force HQ-client to renew its DHCP lease again (click network icon → "Ifupdown (eth0)").

Note: This will drop your VNC session again. Wait a few seconds for it to pick up the lease for the static mapping, then reconnect using 172.17.1.100.

Step 2: Browse to Status > DHCP Leases on fw1-HQ and verify HQ-client's static mapping status.

Here we will bring the branch network online to be ready for use in the next lab.

Step 1: Browse to https://172.18.1.1 from your system.

Step 2: Add an exception for the self-signed certificate.

Step 3: Log in with the default credentials admin / pfsense.

Note: This will not trigger the setup wizard, as this VM comes pre-configured past that point.

We will have a VPN connected into this location in the next lab. However, it is usually best to have a means into remote offices' firewalls without requiring a VPN, limited to specific trusted source IPs.

Step 1: Browse to Firewall > Aliases and click +Add.

Step 2: Create the alias with the following parameters:

Step 3: Click Save and Apply Changes.

Step 1: Browse to Firewall > Rules, click the WAN tab, and click Add.

Step 2: Configure the rule:

Step 3: Click Save and Apply Changes.

Step 1: On HQ-client, browse to https://203.0.113.10.

Step 2: It should load, allowing you to log in and manage the branch system from HQ.

You have now reached the end of this lab.

Continue to the next lab for VPN configuration and connecting the branch network.

Source: Netgate FUND001-LIVE-Lab4-Services.pdf