Potential DNS Rebind attack detected, workaround

If you publish sites to the Internet behind pfSense device, and then try to open the Internet address you will receive the following error message:

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding

Try accessing the router by IP address instead of by hostname.

This will appear on your browser.

Potential DNS Rebind attack detected 01

Recently I’ve hit this issue.

The workaround the problem that I’ve found is as follows.

You set for the network behind the pfSense device a static DNS record for the site, pointing to the internal IP address. In this way you bypass the security checks.

The solution is as follows:

Go you the Web GUI of the pfSense, select

Services > DNS Forwarder

Potential DNS Rebind attack detected 02

There at the bottom of the page, is the section Host Overrides.

Clock on the “+” sign in this section

Potential DNS Rebind attack detected 03

Here for the site that you want to open fill in the following:

Let’s say for example you published the site:


In the Host field enter: Something

In the Domain field enter: anything.com

In the IP Address field: enter the internal IP address of the server hosting the site

In the Description: fill something useful, so half a year later, you can remind yourself that this exception was for 😉

Click on Save.

Potential DNS Rebind attack detected 04

Using your OpenVPN Road Warrior setup as a Secure Relay


If you are in a café or another place with free wireless Internet access you are under a security risk. Your traffic can be monitored, captured and analysed. Your sensitive data can be stolen or your laptop infected with malicious application.

To avoid as much as possible of the above we can route all your traffic through the internet connection at home or in your office.


As a base configuration you can use pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

up until the Tunnel Settings section of the OpenVPN Configuration.

There tick the Redirect Gateway.


Under Client Settings enter DNS Server 1 as the IP address of you LAN interface.


By doing so you will redirect all your traffic through the VPN connection and avoid the risks related to the publicly available Internet access hotspots. The addition of DNS server address is needed in order to use you own device to resolve web sites IPs instead of the publicly available DNS server of the hotspot.


As a test you can trace route (tracert bbc.co.uk for example) a popular internet site with or without established VPN Connection.


At the cost of building just another VPN Server on your device you are gaining a little peace of mind while surfing the net from insecure location.

Upgrade pfSense 2.0 from RC1 to RC3.

In this post we will upgrade pfSense 2.0 from RC1 to RC3.

For the purpose go to this page with the news about the RC3 release:

2.0-RC3 now available!

and click on the Upgrades link: http://www.pfsense.org/mirror.php?section=updates

select a mirror and download the image that suits you, in my case it was:


Now go to System > Firmware and click on Enable Firmware uploads.

Click on Choose File button, select the file that we just downloaded, and click on Upgrade Firmware button.

Wait for the firmware upgrade process complete.

That’s it. If you want more graphical representation, I’ve just uploaded a video here with the whole process.



pfSense 2.0 RC1 – Captive Portal with RADIUS Authentication and Vouchers


After we have setup Captive Portal and customized the pages in the previous posts. Now let’s wrap it up with the other two authentication methods. In this article we are going to configure RADIUS authentication for users, and create Vouchers for our Guests.


In the previous post pfSense 2.0 RC1 – Configure Captive Portal for Guests, we used Local User Manager for authentication. But managing users in multiple systems can be dull task. For that reason we could provide our Users with a way to use their Active Directory user accounts to authenticate against the Captive Portal.

For our Guest We can create one Guest user account in Active Directory, but a better solution would be to provide them with one time use Voucher, that can be dispose of at the end of day.


The only change from our previous setup is the use of one Windows Server 2008 R2, with Active Directory Domain Services and Network Policy Server roles.


Network Policy Server (NPS) aka RADIUS Server, Configuration

We can reuse the setup of NPS from OpenVPN with RADIUS authentication on pfSense 2.0 RC1, up until the pfSense configuration. So I would not duplicate the steps here.

On the pfSense side:

Now go to the Services > Captive Portal

On the Captive Portal leaf, scroll down to the Authentication Section.

As Authentication choose RADIUS Autentication

Primary RADIUS server, IP address –

Enter Shared Secret

Optionally if you wish tick the send RADIUS accounting packets check box.

And under RADIUS options, RADIUS NAS IP Attribute, select the LAN interface. I presume that behind this interface is your RADIUS server.

Save the configuration.

Vouchers Configuration

The first time you Enable the Vouchers, a pair of RSA keys are generated for you automatically.

The pre generated RAS keys are 32 bits.  For now we will use the default. But if you want to create 64 bit keys, you can check our the article Captive Portal Vouchers.

For the Save Interval, the default value is 5 minutes, but I do not want the state of the vouchers to be kept in my configuration file, so I’ll change it to 0. Leave the rest of the fields to default values. Save the configuration.


No let’s generate some vouchers, in the Voucher Rolls section, click on the “+” sign.

On the new page, enter

Roll# – 16, Minutes per Ticker – 460 (8 hours), Count – 10 this is the number of vouchers generated. You can put some comment for reference. Save it.

Upon return to the Vouchers leaf, click on the circle with “i” in it to export the list of vouchers.

The result should look similar to this:


Open a browser on a computer connected to the Guest interface of pfSense, enter a web address, and you should be presented with the Captive Portal page.

For RADIUS test , enter a user name and password, from the Active Directory, and you should successfuly log in.

For test of the Voucher system, copy one of the rows from the csv file, and paste it in the Voucher field.

The web address that you typed should load, and you will have access for the next 8 hours.

On the web GUI, you could check that the user is successfuly connected.



Aggregated all topics related to Captive Portal in pfSense Documentation


Specific article for the Vouchers


m0n0wall documentation of the Captive Portal, can be used for cross references.


During the last three posts we look at the basic configuration of Captive Portal in pfSense 2.0 RC1. Also we customized the Portal pages, and used different authentication methods available. Using this feature of pfSense you can safely provide Internet access to your users and guests. Of course there are many other options that we have not covered, but they are left for future posts.

Thank you for reading, and I hope it was helpful.

pfSense 2.0 RC1 – Customize Captive Portal Pages and implement HTTPS


In the previous post pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management we configured a basic Captive Portal. Now I want to customize a little the web pages that are presented to the guests. Users will send credentials, and it is better to use HTTPS, that’s why will will configure it too.


I want to customize the pages put custom colors and logo. Moreover the default page does not have a voucher field available, and I want this too. Granting access to guests, must follow some rules, so Acceptable Use Policy that have to be acknowledged is suitable for such a page

You can see the default pages below


Certificate for the HTTPS/SSL

Go to System > Cert Manager

On the CAs leaf, select Create and internal Certificate Authority. Fill in the form to your likings. Make note of the Common name and the Descriptive name.

Go to the Certificates leaf, and Create an internal Certificate, fill in the form. The Common Name for the certificate must match to firewall name. In my case it is pfSense.localdomain. Also note the Descriptive name of the certificate.

Export the Certificates

On the CAs leaf click on the downward pointing triangle with rollover info export ca.

On the Certificate leaf, click on both downward pointing triangles for the Captivate Portal Cert.

You will end up with three file with similar names to this

DNS Record

Go to Services > DNS Forwarder

Add new record that will override the results from the forwarders

Enter Host, Domain, IP Address and Description. In my case the host is pfSense, the domain is localdomain, the IP address is the IP used by pfSense for the Guest network and I’ve entered some useful description.

Put the Certificate data in the fields

Now open the certificates in your favourite text editor. I’ve used Notepad++, and copy and paste the content in the Services > Captive Portal pages.

Paste Captive+Portal+Cert.crt in HTTPS certificate section

Paste Captive+Portal+Cert.key in HTTPS private key section

Paste Captive+Portal+CA.cert  in HTTPS intermediate certificate section

Save your configuration.

Upload the logo

Go to the File manager leaf of the Captive portal. Click on the + sign. And choose your logo image.

Then click on the Upload button.

Take a note of the name of the image, if it is different from the one used in your pages update them before uploading.

Upload the pages

Go back to the Captive portal leaf, and scroll down to the Portal page contents section.

Click on Choose File button and select your page file. Do the same for the Authentication error page contents page with the index_error.html page. Save your configuration.


I’ve used the build in Certificate Manager, because it works for me. The alternative is to use OpenSSL as explained in the pfSense forums. This is closely related to the DNS record.

By customizing the pages we can brand them and in the same time create more enterprise look and feel. Opening the voucher field is first step to my next post. There the main topic will be configuration of vouchers and RADIUS authentication.

About the pages code:



Stefcho’s captive portal

Welcome to the Stefcho’s Wireless Network Captive Portal!
Enter User Credentials, or Voucher Code to gain access.



Index_error.html – The only change here is the addition of “Invalid credentials specified.”. I did not add the “$PORTAL_MESSAGE$”, because it is for RADIUS only.

The contents of the HTML/PHP file that you upload here are displayed when an authentication error occurs. You may include “$PORTAL_MESSAGE$”, which will be replaced by the error or reply messages from the RADIUS server, if any.

Invalid credentials specified.


You can download my pages from here:




Connect to the guest network and try to open a web page. You will see a warning about your certificate, go over it. Now you are supposed to see your new custom page. Enter your username and password, look at the Acceptable Use Policy and Click on the Accept check box. Then on the Continue button. If you don’t tick the Accept check box a warning message windows will appear, that will inform you that you must accept the policy first.

In case that you intentionally or not mistype your user name and/or password, you will see in red Invalid credentials specified. Now you can try to enter then again.

After successful log in you will have internet access, and on the Status > Captive portal page you will be able to see the currently logged on users.


DNS record surprise me because I have not used it up until now.


Here are some materials that could help you further develop the Captive Portal Pages:


Free, cool, and easy Captive Portal (Guest portal)

How To: Using m0n0wall to create a Wireless Captive Portal – Step 4: Create the Captive Portal Page

pfSense: Captive Portal Logo Edit

Как в pfsense 2.0 сделать Captive portal доступным из разных сетей

Установка и настройка Wi-FI HOT-SPOT системы на примере программного роутера PfSense 2.0.(Часть 1)


A good base for the Acceptable Use Policy:

Acceptable Use Policy for the Wireless Network

Acceptable Use Policy for Wireless Access

Acceptable Use Policy


Now we have better looking pages displayed to our guest, and well communicated Acceptable Use Policy of the Guest Network. The credentials of our users are transferred using SSL cannel and are not in plain text.


pfSense 2.0 RC3 released!

Good news, today RC3 was released, is supposed to be the last RC before RTM which is very promising.

If the news are right we are waiting for RTM in a month, I hope that this is a realistic estimation for the time needed.

You can read the original news here

2.0-RC3 now available!

Downloads are available, I’m in process of upgrading my lab from RC1 to RC3. For that purpose I will user clean install and restore a configuration backup. Upgrading is not of my preference, but will eventually try it later on.


pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management


More or less it is expected from a company to provide some form of Wireless Internet Access to guest, clients and partner visiting their premises. Providing them with such could pose a security risk if you use just a simple wireless access point directly connected to your LAN. It is better to isolate them in separate network segment without access to your LAN. For that purpose we will use an Optional Interface and the Captive Portal feature of pfSense 2.0 RC1.


You want to provide your guest with Internet Access using single of multiple Wireless Access Point, but you want to prevent them from lurking around your servers and workstations. Even worse they can be infected with some malicious code that could try to take over your network.  You have probably seen what enterprise grade wireless solutions offer as functionality, but the price of these solutions is prohibitive to implement for Small Office Home Office (SoHo) uses.

In this post we will look at the basic configuration of Captive Portal, a feature of pfSense, and how to implement a basic scenario with required authentication of guests, which will be quarantined from our internal network, but will have almost full Internet Access at their disposal.


We have a simple setup of pfSense 2.0 RC1 with three network interfaces. The WAN gives us access to the Internet, behind the LAN interface resides our servers and workstations, and we will put the guests behind the GUESTS interface. For reference take a look at the network diagram.


Some hardware appliance on which pfSense is running might have Wireless Network Interface Cards installed initially, in that case you can use that interface for GUESTS, but currently I do not have such card available for testing. At near future when I do get one, I will test this scenario too.


If you are unfortunate enough to have only two network interfaces, but you are fortunate to have a VLAN capable switch you can separate the LAN and the GUESTS into separate VLANs.  Take a look at the network diagram below for reference. Yet again this is a separate scenario that I will leave for the future posts.



Configure the Guests Interface.

If you haven’t configured the third network interface already, let’s configure it now.

Go to Interface > (assign), and click on the + button, and then click on Save button to save the configuration.

Not go to you newly added interface, the name by default is OPT1.

Tick the Enable Interface and click Save.

Now you can enter a Description for this interface, in my example I used Guests.

Select Static as Type.

In the Static IP configuration section, enter IP Address for the interface and a subnet mask. In my case these are

Then click on the Save button, and Apply changes.


Setup a DHCP Server for this Interface

Go to Services > DHCP Server,


on the Guests leaf, tick the Enable DHCP server on Guests Interface.

Enter a Range aka Pool of IP addresses available for our guests, in my case

Enter as value for DNS Server and a Gateway, then Save the configuration.

Apply Firewall rules on the Guests Interface

As we stated in the Scenario section, we want to provide our guests only with Internet access, and NO access to our LAN resources, also preventing them from accessing the Web GUI of the pfSense is a good idea.

I used for a base for the required firewall rules this wonderful article here: How To: Using m0n0wall to create a Wireless Captive Portal – Security

As you know pfSense is a fork of m0n0wall, so the rules still apply.

So here are my rules:

The NetBIOS Block rules do exactly that the description states.

Web GUI Block prevent guest from accessing the management interface of the pfSense from the wireless network.

The WAN Address / Subnet Block, prevent the guest from accessing any devices connected directly on our WAN port in case you have something like modem or anything else that could be configured using web or other interface.

The last Guests to Any Other Than LAN network provide our guest with the so much needed Internet Access.

As additional test I’ve made a rule that block all traffic on this interface during no business hours. This is the first time that I used a Schedule for a rule, so accept is as experimental. The idea for this rule is inspired by this blog post: pfSense Captive Portal with Firewall Schedules

If you’re providing Wifi access you certainly don’t want to worry about some jackass out in the parking lot in the middle of the night trying to hack on your portal.

Configure Captive Portal

Go to Services > Captive Portal.

Tick the Enable captive portal, and select our Guests Interface. You can leave to the defaults values for now Maximum concurrent connection, Idle timeout. For Hard timeout you can choose a period depending on the average stay of your guests, for my test purposes a value of 60 minutes is fine.

If you really believe that you guest a conscience enough you can enable the Logout popup window, and give then the possibility to logout by themselves, but for the sake of simplicity I will not enable this feature.

Very nice feature is the Per-user bandwidth restriction, you can limit the amount of bandwidth that each user can consume. This will slow down their access but will provide resources for more concurrent users. It is up to you to decide whether to use this or not. In my setup, I’ve enabled this feature for testing purposes, and the results were satisfactory.

For Authentication, we have three options, No authentication can be used for a page with Acceptable Use Policy for the Wireless Network, which your guest must only acknowledge.

For this example I will use Local User Manager. In a future blog post I will take a look at RADIUS Authentication.

For now scroll down to the end of the page and click Save.

User Management

Go to System > User Manager and create new user.

For my example User name is guest, type in a Password, and Full name.


The purpose of the Captive Portal is to force guest users to visit a page before they are provided with Internet Access, whether you will simply require them to accept a use policy, or to authenticate in some manner it is up to you and your needs.


Now I suppose that you have connected one or more Wireless Access Points to the Guests Interface of the pfSense, and configured a SSID for guests. After that you have connected to this Wireless Network. Now when you open a browser and type in some website address, you will be redirected to the Captive Portal page and be required to enter user name and password, use the guest account.  After successful authentication you will be redirected back to the original web site address that you have entered.

Now you can connect one or more Wireless Access Point to the Guest interface of pfSense and distributed the guest user name and password to clients coming over. Whether you will limit the services on to normal business hours, or limit the bandwidth for each user I leave up to you.
In the following post I will look at the possibilities to customize the Captive Portal pages, and implementation of Vouchers and RADIUS authentication.

Routing Road Warrior’s clients through a Site-To-Site VPN with pfSense 2.0 RC1 and OpenVPN

After we looked at the different options for Road Warrior and Site to Site configuration for OpenVPN on pfSense 2.0 RC1, now it is time to combine them in one solution.


You have one or more Site to Site VPNs already and at least one Road Warrior setup for your users. Initially you are happy that you users can consume services from the site that hosts the Road Warrior, but then you want to give them access through the same connection to other sites connected to your main one.


Take a look at the network diagram.

pfSense01 serves the main site, and provides access to the remote users, but also has a site to site configuration with pfSense02.

If you are on the LAN ( side behind pfSense01, you will be able to access machines through the Site to Site connection and communicate with machines on the other end, for example

But if you are the VPN Client, you will be able to only access machines in the network.

Our aim is to provide the VPN Client access to network behind pfSense02 ( in addition to the one.


If you have already configured Road Warrior and Site To Site configuration skip to the Advanced Configuration section below.

Road Warrior

For reference how to configure it, you can look at my other posts, and choose depending on your needs:

pfSense 2.0 RC1 configuration of OpenVPN Server for Rad Warrior with TLS and User Authentication

OpenVPN with LDAP authentication on pfSense 2.0 RC1

OpenVPN with RADIUS authentication on pfSense 2.0 RC1


Site To Site

In case that you don’t have a site to site configuration ready, you can check out one of this posts:

Building Site to Site Connection with OpenVPN on pfSense 2.0 RC1 with Shared Key

Building Site to Site Connection with OpenVPN on pfSense 2.0 RC1 with PKI


Advanced Configuration

On pfSense 01,navigate to VPN > OpenVPN

on the Server leaf, in the Road Warrior configuration scroll down to the bottom section titled Advanced Configuration

and enter this line:

push “route”;


On pfSense 02, again navigate to VPN > OpenVPN, on the Client leaf, and open the Site To Site configuration

Scroll down to the bottom section titled Advanced Configuration, and enter this line:



As jimp explained in the thread mentioned below,

The push “route”; on the Road Warrior configuration tells the client that they can reach machines on the second site via the OpenVPN connection. While establishing connation OpenVPN Client adds an additional route to the second site.

The route; will instruct the second site how to answer on requests from the OpenVPN Client.


After you save the configuration changes, connect to the Road Warrior, and test you connectivity to machine on both sites.


While I was configuring similar setup, the routing part was new to me and I found it difficult to grasp at the time, but thanks to jimp’s help on the matter everything is crystal clear.
You can check out the thread in the pfSense forum here:
Topic: Routing Road Warrior to Site-To-Site, pfSense as OpenVPN client configuration

pfSense-On-A-Stick – 802.1Q Trunking With pfSense 2.0 RC1 and Mikrotik RouterBoard RB250G Smart Gigabit Switch with five ports and SwOS v1.5


I’ve just got a Mikrotik RouterBoard RB250G. While searching for useful information about its capabilities found very interesting article in the MikroTik Wiki: SwOS/Router-On-A-Stick

This article gave me the idea to use pfSense as a router and trunk a few VLANs.


My aim is to reproduce the configuration from the above mentioned post with three VLANs, trunked on a single LAN interface (aka Parent interface) to the pfSense. To make it more usable, every VLAN will be on separate port on the switch (aka Access Port) and have its own instance of DHCP running on the pfSense. In this way, when a client connect to some of the ports he/she will automatically receive configuration contextual to VLAN on this port.

For the installation and basic configuration of pfSense on VMware take a look my previous post Install pfSense 2.0 RC1 on VMWare Workstation 7

The difference here is that the LAN virtual NIC is bridged to the second physical NIC of my workstation and from there directly connected to the RB250G switch.

We start with installed pfSense 2.0 RC1, configure WAN port bridged to my first physical NIC, and LAN port connected to my second physical NIC. For the sake of convenience and because of the problems that I faced initially with the communication on my second NIC, I decide to manage the router through the WAN interface, because its configuration will not change during testing. More on the topic VMware Workstation Virtual Machine and VLANs support, you can find at the bottom of this post.

There are two ways to configure VLANs in pfSense as long as I’m aware. One is through the console and the other is using the Web GUI. Here I will use the latter.

WAN Rules

First let’s configure Rules on the WAN port to allow access to the Web GUI.

Got to Firewall > Rules, on the WAN leaf, add new rule.

The Interface is WAN, Protocol is TCP. Destination port range is HTTPS, enter and description.

This will allow access to the pfSense WebGUI on the WAN IP Address.

Creation of VLANs and Interfaces

Go to Interfaces> (assign).

Make sure that you second Network port is not assigned to any Interface, if it is removed it. In my case this is em1. This machine has two interface em0 for the WAN, and em1 for the LAN.

Go to the VLANs leaf, click on the add button.

On the new page make sure that Parent interface is em1. Enter VLAN tag number different from 1.

I’ve made three VLANs – 100, 200, 300.

Now we need to assign these as Interfaces, go to Interface assignments and then add them one by one, select the proper Network port which are the VLANs that we have just created, and do not assign em1 to any Interface directly.

Now select LAN interface from the drop down menu under Interfaces. Tick Enable Interface, as type select Static. Under Static IP configuration, enter IP address and subnet mask.

In my case it is


Repeat this procedure for all the VLAN interfaces. For reference these are the IP addresses that I have used:


OPT1 –

OPT2 –


Interfaces Rules

For the sake of simplicity every interface will be allowed communication to everywhere.

Go to Firewall > Rules, on the LAN leaf.

Add new Rule

Action is Pass, Interface is LAN, Protocol in Any, Source is Any, Destination is Any, enter some Description too.

Repeat this step on OPT1 and OPT2 leafs too.


DHCP Server Configuration

Go to Services > DHCP Server page.

On the LAN leaf, tick Enable DHCP server on LAN interface.

Enter Range from the subnet of the interface, in my case –

Click the Save button.

Repeat the procedure for the OPT1 and OPT2 leafs. In my case the ranges were.

LAN – –

OPT1 – –

OPT2 – –


Mikrotik RouterBoard RB250G Smart Gigabit Switch with five ports and SwOS v1.5

Before configuring VLANs on the switch, make sure that your firmware version is 1.2 or higher, by the time of writing this version 1.5 of the firmware is available. Otherwise you may run into problems that are related to applied functionality of the device.

Switch VLANs Configuration

On the Switch, go to the VLANs leaf, add the same VLANs from the router. As for ports member always add Port1 and choose one of the other ports. This is the tricky part, my pfSense router is connected to Port1, which makes it Trunk port and must be a member of all VLANs.

In my example

Port 5 is member of VLAN 100

Port 4 is member of VLAN 200

Port 3 is member of VLAN 300

On the VLAN leaf.

For Port 1, our Trunk Port – VLAN Mode is Enabled, default VLAN ID is 1 and VLAN Header is Add If Missing.

For the other Access Ports the configuration is as follows: VLAN Mode is Strict, Default VLAN ID is configured by your design, from the VLANs configured on the router. You can leave Force VLAN ID unpicked, VLAN Header is Always Strip.


Now if you plug the test laptop to one of the Ports 3,4,5. And the NIC is configured to receive configuration from a DHCP server, you will get IP address from the subnet of the configured VLAN range. Because of the Allow All traffic rule you will have Internet, and access to host on the other VLANs.



Some issues that I faced along the way.

VMware Workstation Virtual Machine and VLANs support

My idea was to configure quickly one VM with pfSense, and use the bridged interface for connection to the switch. Everything works fine up until I configured VLANs. Then suddenly the communication between the route and switch stops. After a little network sniffing what surprised me, was that the packets were not tagged with VLANs. After extensive googling on the topic, I did not found definitive reason for this strange behaviour. One part of the information was related to the physical NIC support of VLANs. The other portion of the topics were about the VMware VM and the type of the virtual NIC configured on the virtual machine. Unfortunately my EVGA X58 motherboard is equipped with two on-board Realtek NICS, but fortunately enough they support VLAN and event Priority. When I check the configuration of the bridged NIC Priority & VLAN were Enabled.

The troubleshooting took me long hours, but finally I’ve got a great idea. What if I turn off the Priority & VLAN support on the physical NIC? And indeed, packets start showing with the 802.1Q Tags. My suspicion is that the physical NIC strips off the VLAN tag, and this is the cause of the disruption in communication between my router and switch.

Mikrotik RouterBoard RB250G

If you ping the switch the pings are around 17-9 ms, which is huge taking in to account the device is directly connected.

For more information look here:

Pings TO the switch dropped, high ping…



MikroTik Forum useful links:

The Section about Mikrotik RouterBoard RB250G:


please do not tag default vlan in “add if missing” mode

VLAN Tagging on SwOS

VLAN Trunk

Vlan Trunk / Access port configuration