Static DHCP Mapping in pfSense

In the previous posting, I covered how to configure basic settings for the DHCP server. In this part, I cover static DHCP mappings. A static DHCP mapping ensures a client is always given the same IP address.

Static DHCP Mapping: First Method

Static DHCP Mapping

Edit static mapping page in the pfSense web GUI.

In order to add static DHCP mappings, browse to Status -> DHCP Leases to view the list of clients who have been issued DHCP requests. Click the “plus” button to add a new static DHCP mapping. The MAC address field will be pre-filled; enter an IP address, which must be outside of the range of dynamically assigned DHCP addresses. Finally, enter a “Hostname” and “Description” if desired. Now press “Save” to save the changes, and “Apply” to apply changes if necessary.

Static DHCP Mapping: Second Method

If no DHCP leases have been issued yet, you may not be able to add static DHCP mappings from Status -> DHCP Leases. Fortunately, there is a second method for adding static DHCP mappings. Browse to Services -> DHCP Server -> Interface (if you followed along with my previous DHCP setup scenario, the interface will be “LAN“). Scroll to the bottom of the page, and you will find “DHCP Static Mappings for this interface.” Click on the Add button to the right. From the Services ->  DHCP -> Edit static mapping page, you can type in “IP Address“, “Hostname” and “Description“, as described above.


Now, when a client connects to your DHCP server, the firewall will first check for a mapping in the “DHCP Static Mappings” table. If the client’s MAC address matches a mapping you specified, then the DHCP server uses the IP address specified in the mapping. If no mappings exists for your client’s MAC address, your DHCP server uses an IP address from its available range. Alternatively, you could have selected “Deny Unknown Clients” under Services -> DHCP Server -> Interface, in which case the client will not get a DHCP lease unless the client is defined in the static mappings table.

Static mappings can always be viewed at the bottom of the DHCP Server configuration page for each interface. All static mappings for a given interface can be managed here. Existing mappings can be modified or removed, and new static mappings can be created (but you will have to enter the MAC addresses manually).


External Links:

Configuring DHCP Server and Dynamic DNS Services

 

pfSense Setup: Part Four (Setting up a DMZ)

DMZ

The optional interface configuration page in the pfSense web GUI (which is similar to the WAN and LAN config pages).

In the first three parts, I covered booting and installing pfSense, general configuration options in the pfSense web GUI, and configuring WAN and LAN interfaces (also with the web GUI). In this part, I cover using an optional interface to create a DMZ.

In networking, a DMZ (de-militarized zone) is a place where some traffic is allowed to pass and some traffic is not. The area is separate from the LAN and WAN. In simple terms, a DMZ looks like this in relation to the rest of the network:

Internet traffic | <- DMZ <- LAN

Unsafe Internet traffic is allowed to enter the DMZ, but not the LAN. To configure it, we will need an optional interface.

Configuring the DMZ

From the web GUI, browse to Interfaces -> OPT1. If “Enable Interfaces” isn’t checked, check it. Set “Description” to DMZ. Under “Type”, choose “Static” as the address configuration method. For “IP address”, enter an IP address and the subnet mask (the subnet should be different than the subnet for your LAN). For example, if your subnet for the LAN is 192.168.1.x, it could be 192.168.2.x for the optional interface.

For “Gateway”, leave this option set to “None”. The last two options are “Block private networks” and “Block bogon networks”. Ensure that these two options are unchecked; we don’t want the system to block access from the Internet to the DMZ. Finally save changes by pressing the “Save” button.


Now that the DMZ is configured, your DMZ will allow WAN access. Your DMZ will also allow access from the LAN, but it won’t be permitted to send traffic to the LAN. This will allow devices on the Internet to access DMZ resources without being able to access any of your LAN. This could be useful, for example, for setting up an e-mail or FTP server.

You could now attach a switch to your DMZ interface. This would enable you to connect multiple machines to the DMZ.

External Links:

Setting Up a DMZ in pfSense


The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Part Three (WAN and LAN settings)

Ad Links:


pfSense Setup: Part Three (WAN and LAN Settings)

In pfSense Setup: Part Two,  I covered General Settings within the pfSense web GUI. In this part, I cover configuring the WAN and LAN interfaces. There are a number of different options here; fortunately, pfSense makes the job easy on us by creating reasonable defaults. From the pfSense web GUI menu, go to Interfaces -> WAN.

pfSense Setup: WAN Interface Settings

WAN

The WAN settings page in the pfSense web GUI.

The WAN interface provides your connection to the Internet. To access the WAN, you will need a properly-configured WAN interface and an Internet connection. Typically your Internet connection will be through a cable modem provided by your Internet service provider (ISP), but pfSense will support other connection methods as well.

To configure the WAN interface, browse to Interfaces | WAN. Under “General Configuration”, check Enable Interface. You can change the description of the interface (Description).

The next item is “Type”. Here you can choose the interface type. “Static” requires you to type in the WAN interface IP address. “DHCP” gets the IP address from the ISP’s DHCP server, and is probably what you want to select. “PPP” stands for Point-to-Point Protocol, a protocol used for dialup modem connects as well as T-carrier, E-carrier connections, SONET and SDH connections and higher bitrate optical connections. “PPPoE” stands for Point-to-Point Protocol over Ethernet and is used by a number of DSL providers. “PPTP” stands for Point-to-Point Tunneling Protocol and is a method for implementing virtual private networks (VPNs); unless your WAN interface is a VPN you won’t want to choose this option. “L2TP” stands for Layer 2 Tunneling Protocol, a tunneling protocol also used with VPNs.

The next option is MAC address. Typing in a MAC address here allows you to “spoof” a MAC address. The DHCP servers of ISPs assign IP addresses based on MAC addresses. But they have no way of verifying a MAC address, so by typing a different MAC address, you can “force” your ISP’s DHCP server to give you another IP address. Unless you want to spoof your MAC address, you can leave this field blank. MTU stands for maximum transmission unit. Larger MTUs bring greater efficiency but also greater latency. This should probably be left unchanged. MSS stands for maximum segment size, and specifies the largest amount of data pfSense can receive in a single TCP segment. This also should likely be left unchanged.


The next section is different depending on what you selected for the interface type. If you selected “DHCP”, the options will be “Hostname” and “Alias IP Address”. Hostname can be left blank unless your ISP requires it for client identification, and Alias IP address can also be left blank unless the ISP’s DHCP client needs an alias IP address.

The next section is “Private Networks”. Checking “Block private networks” ensures that 10.x.x.x, 172.16.x.x, and 192.168.x.x addresses, as well as loopback addresses (127.x.x.x) are non-routable. This should be left checked under most circumstances. “Block bogon networks” blocks traffic from IP addresses either reserved or not yet assigned by IANA. This should be left checked as well, for obvious reasons.

Save the options and move on to Interfaces -> LAN.

pfSense Setup: LAN Interface Settings

WAN

The LAN settings page in the pfSense web GUI.

Under “General Configuration”, “Enable Interface” should be checked, since unchecking it will prevent the local network from connecting to the router. “Description” allows you to type in a description of the interface.

“Type” allows you to choose an interface type. See the section on WAN settings for an explanation of each of the options. “MAC address” allows you to type in a different MAC address in order to do MAC address spoofing. Again, see the section on WAN interface settings for a more detailed explanation. “MTU” and “MSS” are also explained under WAN settings. “Speed and duplex” allows you to explicitly set speed and duplex mode for the interface; pfSense should autodetect this, so this option should be left unchanged.

If you selected “Static” for the interface, there should be a “Static IP Configuration” section with two options: “IP address” and “Gateway”. With “IP address”, you can change the IP address of the LAN interface (it defaults to 192.168.1.1).

The next section is “Private networks”. The two options are “Block private networks” and “Block bogon networks”. See the section on configuring the WAN interface for detailed explanations of these options.

That does it for WAN and LAN settings. In pfSense Setup: Part Four, I will take a look at setting up an optional interface.


The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Ad Links:


pfSense Setup: Part Two

pfSense Setup

The General Setup menu in the pfSense web GUI.

If you followed the setup instructions in pfSense Setup: Part One, pfSense should be running and accessible via the web interface at 192.168.1.1 (or another IP address if you assigned a different one). You should be able to log in using the default username (admin) and password (pfsense).

You will want to change some of the basic settings in General Setup. In the web interface, browse to System | General Setup. At “Hostname”, enter your hostname (the name that will be used to access the machine by name instead of the IP address.

Below this, enter your domain (Domain in the General Settings).

DNS Servers can also be specified. By default, pfSense will act as the primary DNS server. However, other DNS servers may be used, and the place to enter them are in the four boxes for DNS servers.

Check Allow DNS server list to be overridden by DHCP/PPP on WAN. This ensures that DNS requests that cannot be resolved internally are passed on to the WAN and resolved by the external DNS servers provided by your internet service provider.


Next, select the correct time zone; you probably want to leave the default NTP time server as it is.

Next is the theme, which allows you to change the look and feel of the pfSense web GUI. You can probably keep the default theme, pfSense_ng.

pfSense Setup

pfSense’s User Manager, which has been part of the pfSense web GUI since version 2.0.

NOTE: You probably want to change the admin password. You can do this under System -> User Manager. Here you can change the admin password, add new users, and delete users, including the admin.

That’s it for the General Setup within the web GUI. In pfSense Setup: Part Three, I will cover how to configure the WAN and LAN interfaces using the web GUI. Part four will cover configuring optional interfaces.


External Links:

Another useful guide on installing and configuring pfSense (from the iceflatline blog)

Ad Links:


pfSense Setup: Part One

pfSense setup

Initial pfSense menu when pfSense is booted from the CD.

For purposes of this article on pfSense setup, we will assume that you already have a system that meets the minimum specifications to run pfsense (if you have not acquired the components yet or if you’re not sure if your equipment meets the specs, you may want to check this document on pfsense requirements). In a nutshell, however, the minimum hardware requirements are:

  • 100 MHz Pentium CPU
  • 128 MB RAM
  • CD-ROM (for installation or for the LIve CD if you run it off the CD)
  • 1 GB hard drive (if you install it onto a hard drive)
  • Two network interface cards

You can run pfsense from a Live CD or a bootable USB drive.

Download the latest version of pfSense. You can find it at: this FTP site. You probably want to verify the integrity of the download with the MD5 checksum as well. Once this is done, burn the pfSense ISO to a CD or to the media of your choice. You can burn the ISO with the program of your choice; you can do it at the Linux command line with this command:

sudo cdrecord -v speed=20 dev=/dev/sr0 pfSense-LiveCD-2.0.3-RELEASE-i386-20130412-1022.iso

Boot your PC with the pfSense CD. You will be presented with a “Welcome to pfSense!” menu with several options. For this screen, you can choose the default option (Boot pfSense). At this point, you can press “I” to invoke the installer, or continue the LiveCD bootup. If you want to boot the LiveCD, either do nothing or hit “C”, and you can skip the following section. [In this case, continue with pfSense setup here.

pfSense Setup: Installation Onto a Hard Drive

If you hit “I”, then the next screen will be the “Configure Console” menu. Most likely you can choose the “Accept these Settings” option and press [Enter].


The next menu is the “Select Task” menu. There are several options: “Quick/Easy Install”, “Custom Install”, “Rescue config.xml”, “Reboot”, and “Exit”. If you just want to install onto the first hard drive, you can select “Quick/Easy Install” and press [Enter].

The next dialog box is the “Are you SURE” dialog box, which will ask you to confirm your decision to install pfSense by highlighting “OK” and pressing [Enter]. Any data on the first hard drive will be erased in order to install pfSense.

Installation will take a few minutes, as pfSense formats your drive and copies the software to it. Next is the “Install Kernel(s)” screen. Select “Symmetric multiprocessing kernel” and press [Enter].

At the “Reboot” screen, remove the pfSense CD from the CD/DVD drive, highlight “Reboot” and press [Enter].

After the system reboots, you will see the initial “Welcome to pfSense!” menu. Press [Enter] to select the default, or just wait for the pause timer to run out.

pfSense Setup: Further Configuration

[Resume here if you are booting from the LiveCD.]

As pfSense boots, the detected network interface cards will be listed. If all your network cards are not listed, you will want to exit out of the install by hitting [CTRL-C] and selecting “6” on the menu. Otherwise, the next choice will be:

Do you want to set up VLAN’s now [y|n]?

Assuming that this is a basic pfSense setup, you can type [n] and continue.

The next option is:

Enter your LAN interface name

Here, type the name of the network interface card that will be directly connected to your internal network. The next option is:

Enter your WAN interface name

Here, type the name of the network interface card that will be be connected to the internet.

If you installed more than two network cards, then pfSense will prompt you to enter the names of them. For the third card it will prompt:

Enter the Optional 1 interface name

When there are no more network cards to name, you will get the prompt:

Do you want to proceed [y|n]?

Be sure to type [y]. You have completed the first phase of pfSense setup. Now pfSense will be running and fully functional. If you wish, you can connect via the web interface, which pfSense by default assigned an IP address of 192.168.1.1.

Part Two of this article on pfSense setup will go step-by-step through configuring pfSense via the web interface.


The Rest of the Guide:

Part Three (WAN and LAN Settings)

Part Four (Setting Up a DMZ)

Ad Links:


© 2013 David Zientara. All rights reserved. Privacy Policy