In certain environments, it is useful to have a router and firewall between two private vlans. When the WAN interface of PfSense is not able to access the internet (e.g. DNS Resolution, Update Checks, etc.) it can become sluggish to boot and configure. This guide attempts to capture configuration knobs that can improve the usability in these environments, and was written with PfSense CE 2.7.2 configuration as a baseline.
- Finish Documentation
-
tcpdump -nn -i XXXpfsense at steady state air-gapped {for em0 (WAN), em1 (LAN), lo0 (loopback)} Loopback will show you all of the items that would have being queried viaroot.hintsor other pfsense internals. Start withudp port 53capture filter to look for DNS traffic. - tcpdump pfsense at boot with WAN interface to look for extra ntp, dns, http, tls packets
Installation from the PfSense CE ISO file can easily be done in these environments. Download the ISO from mirror (to avoid creating a netgate TAC account), upload to your virtualization/burn to physical media, and boot from the ISO.
- https://atxfiles.netgate.com/mirror/downloads/
- https://repo.ialab.dsu.edu/pfsense/
- Capture the WAN (Air-gapped VLAN#1) and LAN (Air-gapped VLAN#2) interface ip addresses, and make sure that the LAN link is up so that it will serve DHCP to other clients on the same VLAN to enable configuration steps.
- If you are using virtualization (e.g. VMWare), recommend you use intel e1000 NIC configuration in your VM and/or disable the hardware offload knobs in "System->Advanced->Networking".
- Hardware Checksum: disable
- Hardware TCP Segmentation: disable
- Hardware Large Receive: disable
Here is a list of configuration knobs:
- Setup a single GUI client (VM or otherwise) that can load a web browser and access the administration page (by default this is on the LAN interface defined during install step. This is most easily done by assigning another vm to the same vlan as the pfsense LAN interface (Air-gapped VLAN#2) and using the web browser from that console. Default web administration for pfsense installation username is
admin, password ispfsense. Change immediately to something secure. - System->Update->Update Settings-> Select "Disable the Dashboard auto-update check"
- Dashboard-> Remove the "Netgate Services and Support" widget by clicking the "X" in the top-right corner of the UI element.
- Disable Network Time Protocol Daemon (NTP). Configuration is in Services->NTP.
- Make sure
Enable NTP Serveris not checked (OFF)
- Make sure
- Setup Unbound (DNS Resolver in PfSense parlance) to use custom
root.hintsfile to prevent reaching out to external hardcodedX.root-servers.netip addresses. Configuration is in Services->DNS Resolver in the Web admin interface.- Make sure
Enable DNS resolvercheckbox is checked (ON). - Click
Display Custom Options, then enter the string:root-hints: /var/unbound/airgap.hints - Create a text file (using vi or your favorite editor) on pfsense filesystem (via console or ssh) with the following data in
/var/unbound/airgap.hints:
- Make sure
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET 3600000 A 127.0.0.1
A.ROOT-SERVERS.NET 3600000 AAAA ::1
- Setup DNS resolver stub zones: (TBD on details)
- PTR addresses
.arpa(PTR IPv4/IPv6) - Common TLDs
.net,.com,.org, etc. so that root zone SOA/NS lookups land on 127.0.0.1
Here is a list of useful things for the LAN interface of PfSense to provide to clients that enable them to "think" they are internet connected without actually providing internet access.
- DNS Config: Services->DNS Resolver
- WIP
- Internet Reachability:
- https://devblogs.microsoft.com/oldnewthing/20221115-00/?p=107399
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network
- During reboot, "DNS Resolver" service start is slow. Delays boot by around 30 seconds.
- During reboot, "NTP Server" service start is slow. Delays boot by around 30 seconds.
- During reboot, "Configuring WAN interface" will be VERY slow if set for DHCP, and DHCP packets do not receive a response.