pfSense: Configuring DHCP Server and Dynamic DNS Services

Exclusive offer: get 50% off this eBook here
pfSense 2 Cookbook

pfSense 2 Cookbook — Save 50%

A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0

$26.99    $13.50
by Matt Williamson | April 2011 | Cookbooks Open Source

pfSense is an open source distribution of FreeBSD-based firewall which provides a platform for flexible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options.

In this article by Matt Williamson, author of pfSense 2 Cookbook, we will cover:

  • Configuring the DHCP server
  • Creating static DHCP mappings
  • Configuring the DHCP relay
  • Specifying alternate DNS servers
  • Configuring the DNS forwarder
  • Configuring a standalone DHCP/DNS server
  • Configuring dynamic DNS

 

pfSense 2 Cookbook

pfSense 2 Cookbook

A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0

        Read more about this book      

(For more resources on this subject, see here.)

Configuring the DHCP server

This recipe describes how to configure the DHCP service in pfSense. The DHCP service assigns an IP address to any client who requests one.

Getting ready

PfSense can only be configured as a DHCP server for interfaces configured with a static IP address. Using the examples in this article, that includes the LAN and DMZ interfaces but not the WAN. This example recipe will configure the DHCP server for your DMZ interface.

How to do it...

  1. Browse to Services DHCP Server|.
  2. Choose the DMZ tab.
  3. Check Enable DHCP server on DMZ interface:

    (Move the mouse over the image to enlarge it.)

  4. Choose a Range of IP addresses for DHCP clients to use. This range must be contiguous and within the Available range listed above the Range:

  5. Save the changes and the DHCP service will be started.
  6. Apply the changes, if necessary.

How it works...

A DHCP server accepts requests from clients and assigns them an available IP address.

There’s more...

A DHCP server fulfills a client request by handing out the first available IP address. This means that it’s very likely that a client will receive a different IP address with every request.

In order to ensure that a client always receives the same IP address, we can create static DHCP mapping. See the next recipe, Creating static DHCP mappings, for more information.

Deny Unknown Clients

Enabling this option ensures that only clients with static DHCP mappings will receive an IP address. DHCP requests from all other clients will be ignored.

This is different from Enable static ARP entries where unknown clients will receive an IP address, although they won’t be able to communicate with the firewall (on that interface) in anyway.

DNS Servers

Specify any DNS server to be automatically assigned to our DHCP clients. If left blank, pfSense will automatically assign DNS servers to our clients in one of the following two ways:

  • If DNS Forwarder is enabled, then the IP address of the interface is used. This is because the DNS Forwarder turns the pfSense machine itself into a DNS server, so the IP of the pfSense machine (that is, the gateway, which varies by interface) is assigned to each client.
  • If DNS Forwarder isn’t enabled, then the DNS Servers configured on the General Setup page are used. And of course if, Allow DNS server list to be overridden by DHCP/PPP on WAN is enabled in General Setup, then the DNS servers obtained through the WAN will be used instead.

Gateway

The interface gateway will be provided to clients by default (that is, the static IP of the interface), but can be overridden here if necessary.

Domain Name

The domain name specified in General Setup is used by default, but an alternative can be specified here.

Default Lease Time

An alternative lease time can be specified here for clients who do not request a specific expiration time. The default is 7200 seconds.

Maximum Lease Time

An alternative maximum lease time can be specified for clients that ask for a specific expiration time. The default is 86400 seconds.

Failover Peer IP

CARP-configured systems can specify a fail-over IP address here.

Static ARP

Enabling static ARP entries will only allow clients with DHCP mappings to communicate with the firewall on this interface. Unknown clients will still receive an IP address, but all communication to the firewall will be blocked.
This is different from Deny Unknown Clients where unknown clients won’t even receive an IP address.

Dynamic DNS

Enable clients to automatically register with the Dynamic DNS domain specified.

Additional BOOTP/DHCP Options

Enter any custom DHCP option here. Visit http://www.iana.org/assignments/bootpdhcp- parameters/bootp-dhcp-parameters.xml for a list of options.

Creating static DHCP mappings

This recipe describes how to add static DHCP mappings in pfSense. A static DHCP mapping ensures a client is always given the same IP address.

Getting ready

Creating static DHCP mappings is only applicable for interfaces using the DHCP service.

How to do it...

  1. Browse to Status DHCP Leases| to view the list of clients who have issued DHCP requests.

  2. Click on the “plus” button to add a new static DHCP mapping.
  3. The MAC address will be pre-filled.
  4. Enter an IP address, which must be outside the range of dynamically assigned DHCP addresses.
  5. The Hostname may be pre-filled. If not, enter one.
  6. Enter a Description.

  7. Save the changes.
  8. Apply changes, if necessary. Scroll to the bottom of the DHCP Server page and verify that your new mapping exists.

How it works...

When a client connects to our DHCP server, the firewall first checks for a mapping. If the client’s MAC address matches a mapping we’ve specified, then the DHCP server uses the IP address specified in the mapping. If no mapping exists for our client’s MAC address, our DHCP server uses an IP address from its available range.

There’s more...

Static mappings can be viewed at the bottom of the DHCP Server configuration page for each interface by browsing to the Services DHCP Server | Interface| tab.

All static mappings for a given interface can be managed here. Existing mappings can be modified or removed, and new static mappings can be created, but you’ll have to enter the MAC address manually.

pfSense 2 Cookbook A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0
Published: March 2011
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources on this subject, see here.)

Configuring the DHCP relay

This recipe describes how to configure pfSense to relay DHCP requests between broadcast domains. Specifying a DHCP relay is an alternative to configuring the DHCP service on pfSense itself.

Getting ready

DHCP Relay can only be enabled if the DHCP server is disabled on all interfaces. If necessary, first disable the DHCP service on all interfaces as follows:

  1. Browse to the Services DHCP Server | Interface| tab (for example, LAN).
  2. Uncheck Enable DHCP Server on LAN Interface.
  3. Save the changes.
  4. Apply changes, if necessary.

How to do it...

  1. Browse to Services DHCP Relay|.
  2. Check Enable DHCP Relay on Interface.
  3. Select the interfaces on which the relay will be applied. Use Ctrl + click to select multiple interfaces.
  4. Enter the IP address of the existing DHCP Servers to be used as the Destination server. Multiple IP addresses may be entered, separated by commas.
  5. Save the changes.
  6. Apply changes, if necessary.

How it works...

PfSense can be configured to relay DHCP requests to existing DHCP servers. Any incoming DHCP request will be forwarded to the server(s) specified and the response will be returned to the client.

Append Circuit ID and Agent ID to Requests

PfSense can append its interface number (circuit ID) and agent ID to DHCP requests, if checked.

Relay requests to the WAN DHCP server

Select this option to relay all requests to the DHCP defined in your WAN connection.

At the time of writing this article, this feature hadn’t yet been implemented in the pfSense 2.0 Beta version.

Specifying alternate DNS servers

This recipe describes how to configure pfSense to use DNS servers other than those provided by your WAN connection.

Getting ready

When it comes to resolving DNS names, most environments will rely on the DNS servers provided by their ISP through their WAN connection. By default, no DNS servers are defined in pfSense and the Allow DNS server list to be overridden by DHCP/PPP on WAN is checked. However, to manually specify alternate DNS servers follow the instructions in the next subsection.

How to do it...

  1. Browse to System General Setup|.
  2. The DNS servers section contains the following settings:
    • Specify the IP address and gateway for each of the existing DNS servers.
    • Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN.
  3. Save changes.
  4. Apply changes, if necessary.

How it works...

The DNS servers specified here are the system defaults and will always take priority unless specifically overridden by the following options.

The DNS servers listed here (4.2.2.1 – 4.2.2.4) are public DNS servers that are often very helpful when trying to troubleshoot and diagnose DNS issues.

Using the DNS Forwarder

If the DNS Forwarder is enabled, we can override the DNS servers for individual domains or even override results for individual devices. For more information, see the following Configuring the DNS Forwarder recipe. The DNS Forwarder takes precedence over all DNS requests.

Using your WAN DNS servers

When Allow DNS server list to be overridden by DHCP/PPP on WAN is enabled, pfSense will attempt to resolve DNS names using the DNS servers provided by the WAN before failing over to the servers defined in this list. After the DNS Forwarder, this option takes precedence over DNS requests.

Configuring the DNS Forwarder

This recipe describes how to configure the DNS Forwarder in pfSense. The DNS Forwarder allows pfSense to act as a DNS server with a variety of features.

Getting ready

The DNS Forwarder allows pfSense to resolve DNS requests using hostnames obtained by the DHCP service, static DHCP mappings, or manually entered information. The DNS Forwarder can also forward all DNS requests for a particular domain to a server specified manually.

How to do it...

  1. Browse to Services DNS Forwarder | Enable DNS Forwarder|.
  2. If Register DHCP leases in DNS Forwarder is enabled, any devices in Status DHCP Leases| will be served if a match is found.
  3. If Register DHCP static mappings in DNS Forwarder is enabled, any devices mapped on any interface tab in Services DHCP Server| will be served if a match is found.

  4. Specify individual Hosts to be served as DNS records by clicking the “plus” button to add a record. Devices in this list are checked first; so even if a record exists elsewhere, the record here takes precedence and is immediately returned.
  5. Specify a DNS server for a particular Domain by clicking the “plus” button to add a record. These records are checked immediately after the individual records are defined above; so, a match here will take precedence over records that may exist elsewhere.

  6. Save the changes.
  7. Apply changes, if necessary.

How it works...

If enabled, the DNS Forwarder takes priority over all DNS requests and responds to them in the following order:

  1. Individual device records (Services DNS Forwarder)|.
  2. Domain specific records (Services DNS Forwarder)|.
  3. DHCP static mappings (Services DHCP Server | Interface| tab).
  4. DHCP leases (Status DHCP Leases)|.
pfSense 2 Cookbook A practical, example-driven guide to configuring even the most advanced features of pfSense 2.0
Published: March 2011
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:
        Read more about this book      

(For more resources on this subject, see here.)

Configuring a standalone DHCP/DNS server

This recipe describes how to configure pfSense as a standalone DHCP and DNS server.

How to do it...

  1. Configure pfSense as a DHCP Server. See the Configuring the DHCP server recipe for details.
  2. Create DHCP mappings for every device in the system that will obtain its IP address automatically through DHCP. See the Creating static DHCP mappings recipe for details.
  3. Browse to System General Setup|.
  4. Ensure that no other DNS servers are specified.
  5. Enable Allow DNS server list to be overridden by DHCP/PPP on WAN, so that pfSense can resolve external addresses using the DNS servers provided by your ISP through your WAN connection.
  6. Save the changes.
  7. Apply changes, if necessary.

  8. Browse to System DNS Forwarder|.
  9. Check Enable DNS Forwarder.
  10. Check Register DHCP static mappings in DNS forwarder.

  11. Create a Host record for any device that needs to be resolved but doesn’t have a DHCP mapping (that is, devices that define their own IP).
  12. Create a Domain record for any DNS requests you’d like to redirect for a particular domain.

  13. Save the changes.
  14. Apply changes, if necessary.

How it works...

If the DNS Forwarder is enabled, every DNS request from every interface will be processed by pfSense. Individual host records are checked first, and if a match is found, the associated IP address is immediately returned.

By enabling the Register DHCP Static Mappings option, you won’t have to worry about creating DNS records for those devices. This is my preferred method of using pfSense as a DNS server. As long as we create a static mapping for every device on our network, their hostnames will resolve automatically.

Using this method, we’ll only have to add explicit hostname records for devices that specify their own IP address (that is, devices that don’t use DHCP), which should be few and far between.

Register DHCP Leases in DNS Forwarder

If the Register DHCP Leases in DNS Forwarder option is enabled, pfSense will automatically register any devices that specify a hostname when submitting a DNS request. The downside, of course, is that not all devices submit a hostname and even when they do, it is sometimes cryptic. I prefer to only register important devices using DHCP static mappings, and all other (unimportant/unknown) devices can be referenced using their IP addresses.

Configuring dynamic DNS

This recipe describes how to configure a dynamic DNS service in pfSense.

Getting ready

PfSense’s integrated dynamic DNS service allows you to automatically update your dynamic DNS records when a change in an interface’s IP address is detected.

How to do it...

  1. Browse to Services Dynamic DNS|.
  2. Click the DynDNS tab.
  3. Click the “plus” button to add a new record.
  4. Choose a Service type (that is, dynamic DNS service provider).
  5. Specify an Interface to monitor (this is typically the WAN interface).
  6. Specify our Hostname (that is, the friendly DNS name our dynamic DNS provider has supplied us with).
  7. Toggle Wildcards, if applicable.
  8. Enter your username and password you’d setup with our dynamic DNS provider.
  9. Enter a friendly description.
  10. Save changes.
  11. Apply changes, if necessary.

How it works...

Whenever the IP address of our interface changes, pfSense automatically connects to our dynamic DNS service and updates the IP address accordingly.

Pre-configured service types (dynamic DNS providers)

PfSense comes with the following popular dynamic DNS services pre-configured:

  • DNS-O-Matic
  • DynDNS (dynamic, static, custom)
  • DHS
  • DyNS
  • easyDNS
  • No-IP
  • ODS
  • ZoneEdit
  • Loopia
  • freeDNS
  • DNSexit
  • OpenDNS
  • NameCheap

Specifying an alternative service using RFC 2136

We may specify a dynamic DNS service that doesn’t come pre-configured as long as it adheres to the RFC 2136 standard. Choose the Services Dynamic DNS | RFC 2136| tab, and then fill in the appropriate fields using the information provided by our RFC 2136 compliant dynamic DNS service:

For more information, refer to:
Wikipedia – DynamicDNS
http://en.wikipedia.org/wiki/Dynamic_DNS
RFC 2136 Standard Documentation
http://tools.ietf.org/html/rfc2136

Summary

This article explained how to configure the essential networking services provided by pfSense such as the DHCP server and dynamic DNS services.


Further resources on this subject:


About the Author :


Matt Williamson

Matt Williamson is the founder of Blue Key Consulting – a computer systems design and development firm located in the New York City area. Before forming his consulting business, Matt developed software for a number of companies in the insurance and financial research industries. A long-time user of pfSense, Matt has incorporated pfSense in a number of roles throughout a variety of his own systems and those of his clients. His personal website and blog can be found at http://www.bunkerhollow.com.

Books From Packt


OpenVPN 2 Cookbook
OpenVPN 2 Cookbook

Squid Proxy Server 3.1: Beginner's Guide
Squid Proxy Server 3.1: Beginner's Guide

Nginx HTTP Server
Nginx HTTP Server

Tcl 8.5 Network Programming
Tcl 8.5 Network Programming

OpenX Ad Server: Beginner's Guide
OpenX Ad Server: Beginner's Guide

VirtualBox 3.1: Beginner's Guide
VirtualBox 3.1: Beginner's Guide

FreeSWITCH 1.0.6
FreeSWITCH 1.0.6

Building Telephony Systems with OpenSER
Building Telephony Systems with OpenSER


Your rating: None Average: 5 (2 votes)

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
U
X
y
P
C
3
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software