Help with some basic concepts in a pfSense router-on-a-stick scenario

justcurious

New pfsense user here – well, new to networking in general :-) So far it has been a fun and extremely pleasant ride and with a little bit of research and digging here and there I managed to accomplish most of what I intend to do. However, as the practical side seems to be working just fine, I’ve gotten to the point where I need some advice on the conceptual side. So if you have a moment, I’d be really grateful.

Objective
Network segmentation for better home network management and improved security

What has been done so far
I have set up a three-device-combo which includes: pfSense firewall/router (with two ports for WAN/LAN), a VLAN capable switch, and a separate WLAN-AP.

Before posting here, I spent a considerable amount researching how to best explain my scenario and I was lucky enough that someone else basically wrote the how-to I was planning to write at the end of my experience: https://nguvu.org/pfsense/pfsense-router-on-a-stick-with-netgear-gs108/ (should this person be a user here and come across my post – huge thanks!)

As for my network design, the above link is pretty accurate. So far I have my home LAN and a working GuestWifi on a separate subnet. The firewall rules are set up in such a way that devices on the GuestWifi can’t communicate with devices on the home LAN. This is something I have tested by trying to ping devices on the home LAN from the GuestWifi. Next, I made sure that access to pfSense management (GUI and SSH) is blocked on the guest network. This also works as it should. Which leads me to the next part.

Aspects I would like to understand better

DMZ

After having set up the firewall rules to isolate the GuestWifi from the home LAN, I noticed that I could (should?) be doing the same on the home LAN since without setting up the proper firewall rules, the home LAN can still access the GuestWifi. What does the mean for security? Am I right in thinking that if the GuesWifi gets compromised, there isn’t much to worry about the home LAN, however, if the home LAN gets compromised, that GuestWifi is also at risk?

The reason I ask is mostly because I plan to set up a DMZ for virtual servers that should be accessible on the Internet. Now, as far as security is concerned, I go by the principle that it is a matter of time before a machine that is accessible on the Internet gets compromised. Of course, securing the server is still a priority and won’t be neglected, but I want my other subnets as safe as possible should the device in the DMZ get compromised. Like with the above example (GuestWifi), is it still reasonably safe for the nodes on the other subnets if I set up the proper firewall rules for the DMZ to block all access to other subnetworks, but leave an access from the subnet my main computer is on for managing the server in the DMZ? Or would my main computer (and by extension the nodes on the same network) also be at risk?

DNS/VPN
Currently I am testing the use of a VPN and almost everything is working as it should. I define a couple of devices that would use the VPN and the remaining ones just go through the WAN interface. However, as soon as I turn on the VPN, every device (regardless of whether it goes through the VPN or the WAN interface) uses the VPN provider's DNS servers, resulting in the devices going through the WAN interface in using the external IP given by the ISP and the VPN provider’s DNS servers.

I haven’t changed anything in the DNS settings after installing pfSense (DNS forwarder is turned off, DNS resolver is turned on (Network Interfaces (and Outgoing) on ALL). When I go the OpenVPN settings, there is an option called “Don’t pull routes”. This is unchecked, but when I check it, suddenly everything uses the ISP’s DNS servers obviously resulting in DNS leaks on the VPN side (which is not desirable either). Is there a way to make it so that devices going through the WAN interface will use the ISP’s DNS servers while those going through the VPN interface will use those from the VPN?

Lastly, if you know about any good literature related to these topics, I’d be really interested! I’m independent and do all this purely for the fun and the learning experience (and maybe for a interesting home network :-)). My only restriction is that I would like to use open source as far as the software is concerned. However, if the concepts are explained using proprietary tools, totally OK with me (I started to understand VLANs by reading things and watching clips demonstrating the concepts on Cisco products).

Thx in advance for any help!

johnpoz

Where exactly does your router on a stick come in? You state you have 2 interfaces wan/lan - that is not a router on a stick ;)

While ok if your going to run vlans on top of your lan interface your going to be hairpinning for any intervlan traffic.. But that is not really a router on a stick..

To your dmz question? It is quite common to allow traffic IN to your dmz, you normally block traffic OUT from your dmz.. As you state you need to manage the stuff in the dmz.. You might even want to use the same resources your letting the internet use..

As to your dns issue.. How do you have your dns setup - out of the box pfsense would be resolving and your clients would ask pfsense. How would that use your vpn dns?

justcurious

Where exactly does your router on a stick come in? You state you have 2 interfaces wan/lan - that is not a router on a stick ;)

Thank you for clarifying :D As you can see, I'm not exaggerating when saying that I'm a complete novice (started a month ago learning about all this). So my scenario, pfSense has two interfaces, WAN connecting to the modem and the LAN connecting to the switch. This would be a boring normal scenario then? ;)

While ok if your going to run vlans on top of your lan interface your going to be hairpinning for any intervlan traffic

So would it be an option to run the VLANs on top of the WAN interface? Every device (including the AP) will connect to the switch that's physically connected to the LAN interface.

To your dmz question? It is quite common to allow traffic IN to your dmz, you normally block traffic OUT from your dmz

Perfect, that's how I imagined it woud work :D

As to your dns issue.. How do you have your dns setup - out of the box pfsense would be resolving and your clients would ask pfsense. How would that use your vpn dns?

To be honest, I don't understand this whole process well enough to provide you with a useful answer. All I did was setting up a VPN based on a tutorial for PIA that I found in this forum. Here's the link https://forum.pfsense.org/index.php?topic=76015.0.

That is also the reason why I'm looking for more literature and info on these subjects because getting it to work seems fine, but conceptually understanding these topics is equally important to me. I will see whether I can get a better grasp of how this works and if still remains an issue I will ask the question again, but in a more useful way.

And thank you for your quick reply.

johnpoz

While you could run vlans on your wan interface - this is not a typical scenario. Unless your isp was sending you vlan tags.. Some could do internet over 1 network and say iptv over another vlan. But unless you have such an isp then normally you would not run vlans on your "wan" interface unless pfsense was going to be used downstream in a network behind other routers/switches.

I understand how vpn client works ;) And again that would not use your vpn dns in any sort of normal setup.

I would suggest you research the difference between resolver and forwarder. Out of the box pfsense defaults to using a resolve. But why did you uncheck pfsense from using itself for dns?? Makes it hard to resolve your local machines. Why would you have your isp override dns, etc. That is not how it would work with using resolver..

Yes in a typical setup you would from your vlan capable switch create a trunk port (carries vlan via taggs) to your pfsense lan interface. You would then trunk to your AP that does vlan and you could have multiple networks via different ssids, or even dynamically assign them when you get real fancy.

You could then also setup other vlans on your switch for other networks. I have 7 different vlans on my current home setup. Isolation of iot devices is a good idea for example! Your guest wifi, your normal wifi, etc.

justcurious

So I got myself a typical set up. What you're describing is exactly what I've done to set up a guest wifi and your home setup sounds what I'd like to do but with fewer vlans. ;)

As for the resolver/forwarder, thanks for the hint! I'll look into it. I didn't uncheck anything at the moment, though. Under Services/DNS Resolver it is set to enabled and interface is on ALL (I believe that's how it was default).

I think I didn't properly explain what I find curious: It's not that I want my ISP to override anything, but I thought that when I turn on the VPN, devices that are going through the VPN gateway would use the VPN provider's DNS servers wheres devices that go through the WAN interface would simply use the ISP's DNS servers since I haven't configured anything additionally. However, as soon as I switch on the VPN, devices going through the WAN interface also use the VPN provider's DNS servers. Does the make sense?

I mean that good thing is there are no issues with DNS leaks when using a VPN :)

What I did play with is a setting under the OpenVPN options which is called "Don't pull routes". But I realized that stuff is currently way over my head so back to reading…

Last thing: I really appreciate the help and I would like to show some support. Is it on my end or is the freebsdfoundation site not available? Would buying a device on pfSense.org help the project?

johnpoz

"I mean that good thing is there are no issues with DNS leaks when using a VPN"

Oh my F'ing gawd.. The sky is falling, I asked my isp dns for www.google.com <rolleyes>;)

"devices that are going through the VPN gateway would use the VPN provider's DNS servers wheres devices that go through the WAN interface would simply use the ISP's DNS servers since I haven't configured anything additionally. However"

And what are you devices pointing to for dns? Why would they go through the vpn to ask pfsense for something? So lets ask this again - where are you clients for dns?? Setting up a vpn client on pfsense for your devices to use, does not have pfsense use your vpn dns.. Out of the box pfsense is resolver - did you alter this.. That means they ask the roots for dns and walk down the tree to the authoritative ns for the domain you are looking for a record in.

As to the freebsd issue.. It is up - if your having issues getting to it, points to a problem with your dns configuration ;)</rolleyes>

justcurious

Alright, I'll give my best ;) :D

I haven't touched the DNS resolver or any settings regarding DNS on pfSense
I haven't manually configured DNS servers on my computer
I haven't specified any DNS servers in any setting anywhere on pfSense (neither in System/General Setup nor in Services/DHCP Server)

Scenario 1:
Status / OpenVPN: switched off -> obviously, the used DNS servers are those from my ISP

Scenario 2:
Status / OpenVPN: switched on -> DNS servers are now those from the VPN - regardless of whether the devices on the network are configured to use the VPN or not.

Scenario 3:
Status / OpenVPN: switched on + under options VPN / OpenVPN/ Clients either "Don't pull routes" or "Don't add/remove routes" checked and it will use the ISPs DNS servers / if both are unchecked it will use the VPN provider's DNS servers without having to configure anything anywhere to use them

Now that is probably normal behavior and goes back to what you've told me earlier: I should properly learn what a DNS resolver/forwarder actually does.

And indeed, when the VPN is switched off i.e. no VPN DNS, freebsdfoundation is reachable meaning a donation isn't far away ;)

johnpoz

Scenario 1

No that is not how it works out of the box.. If you did not make any changes to pfsense out of the box it uses RESOLVER.. And walks down from root to the authoritative server for what your looking for. Your ISP dns has zero to do with anything..

Scenario 2
I have no idea why you would think this is the case - because again out of the box pfsense uses resolver mode!!!!! It would never ask your vpn or any other forwarded ns anything. It walks down tree from roots to get to the authoritative server for what your looking for.

3
Again - out of the box pfsense does NOT use isp dns..

So is the the resolver service running on pfsense? You did not go into and click use forwarder mode?

Your clients show they are using what for dns? Windows do an ipconfig /all where do they point for dns?

When you go to pfsense and do diag, dns lookup for say www.google.com what does show it asked? 127.0.0.1 or some other IP?

How are you seeing that your clients are using your vpn dns?? Are you going to some dns leak page?? Or what?? Adding a vpn client does not force queries from pfsense to go down the tunnel, so I don't see how its possible to have pfsense in in forwarder mode be using your vpn dns. Unless you are actually pointing pfsense to those dns servers??

Are you doing any sort of nat for udp 53? Trying to direct clients somewhere for dns? Is your isp or vpn provider doing any sort of dns hijack.. How exactly are you thinking that when you use enable vpn that everything is using vpn for dns??

justcurious

Quick reminder: complete novice, been doing this for a month (as in zero network experience ;) )

Now, I finally know what you mean and apologies for going in circles like that (initially I didn't even want to ask this question before taking some time to learn the basics - well, lesson learned..)

Everything works as you'd expect: DNS resolver is checked and on the dashboard it shows 127.0.0.1 as the DNS server. And yes, I was talking about DNS leaking and went to check on a DNS leak page (which is what I was talking about all along…). I'll hand you the gun myself, please make it quick and painless ::)

p.s.: not a windows user

justcurious

Hey John!

With a little bit of research and determination most problems seem to be solvable ;)

Anyways, just wanted to keep you updated since in the meantime I managed to better understand what the the issue was (besides my lack of communicating it properly) and to solve it.

I tried to understand the DNS forwarder/resolver a little better and while I'm not fully there yet, I have a bit of an idea (which helped me refine my research)

Now, I saw that I'm not the first one that asked this question and in fact you already tried to help another user with the issue (https://forum.pfsense.org/index.php?topic=105194.msg591337#msg591337)

Should this question be asked in the future, another kind user created a tutorial to solve it (for reference: https://forum.pfsense.org/index.php?topic=106305.0)

As for as checking a DNS leak website is concerned to see whether everything is configured properly, the following happened to me before finding the above linked solution:

Enable VPN:

clients set up to use the VPN: no leaks, the results on the site are the VPN providers DNS servers
clients NOT using the VPN: their IP (from the ISP) doesn't match the results on the leak site, since the site also shows the VPN providers DNS servers as the result

If I'm not mistaken this is normal if the "Don't pull routes" option is NOT selected (selecting this would only result in DNS leaks for clients using the VPN).

If I understand correctly, the solution provided in the above link simply prevents the VPN to access the DNS resolver?

While the solution works as far as the results on the DNS leak page are concerned, it now takes quite a bit longer (2-3 seconds) to resolve addresses when using the VPN. I guess that might be normal behavior as well? (Edit: just needed to restart networkmanager - everything working as it should)

I'll try to optimize the setup further and I hope with the links mentioned above we can prevent future headaches should others run into the same issue.