I have not setup and configured the DHCP Server yet, I’m still using pfSense for that service for now. However, I’m using pfSense as my NTP server, and I’m activily changing the IP’s on this network to Static, because I will be setting up an IdM (Identity Management) Server.
What that said, even though pfSense DNS Server is unbound, is it better to setup my own bind DNS then to use pfSense or does it really matter? To Note, this will be my twin of my production environment, and after successfully getting this network working, it will be implemented on the production server.
I have never used Bind, but Unbound works pretty well for me. I like that I can do all my DHCP reservations in pfSense and then unbound will register both my static reservations as well as any DHCP leases in the DNS resolver. I also like having host over rides all in one place too.
I was able to create some firewall rules to block DoT and DoH and I “sink holed” the Firefox canary domain in my host over rides. So far pfSense/Unbound has been doing a really good job of capturing all my DNS requests and only sending them out over TLS to Cloudflare, my upstream DNS of choice.
Just out of curiosity what is the purpose of having a router in front of pfSense, which is also a router? Seems a bit redundant to me. I have a much “flatter” network in my small home lab, but I also have more network segmentation than you seem to have. I run 5 different VLANs: IoT, Televisions, Guest, Home, Server (almost like a DMZ), and Management interfaces.
The diagram for VM pfSense network is the same as the guide, is just for a reference as an example of what I will be doing in the isolated VM network. Everything in the brown box is VM’s inside the KVM Server.
You don’t need to do have two pfsense instances running. You could just have the one in blue, and connect a trunked port to your KVM server. Then you can specify specific VLANs for every VM
I’m using OPNSense, pretty much the same thing. For a while had it also serve DNS, NTP and DHCP requests and whenever I was doing any kind of maintenance everything went down. Not fun.
Having services separated is a bit more admin work, sure. The upside is a more robust infrastructure. Dual DNS Bind servers in a main - backup relationship, and dual DHCP servers means no downtime for any of the critical infra services. Also dual NTP servers. Leaving OPNSense with just routing and edge firewall and it works great at that.
In my system I do. I did not include my Unifi Switch for the overall view of all my OS Systems, because I wanted to address the DNS, DHCP, etc., but here is another diagram update. And to mention, I have 2xPi4 OS, 2xWindows OS, Laptop, Debian 13 Lab Sever and Debian 13 Production Server all connected to the Unifi Switch not shown:
My Barebone pfSense OS handles all VLAN’s, Rules etc., I do all my testing and stuff on the Debian Lab which also has a VM pfSense isolated network resembling the diagram as well, before implementing it on the isolated pfSense Network (which I call stage II Production QOS), and from their to the Barebone Debian 13 Production Sever not shown on the diagram.
The Stage II Production QOS is live online internet for testing. After completing a full test, my Basebone Server will go live internet.
This is what I was looking for, a better overall insight of keeping my LAN infrastructure protect from such incidents as you mention. I experience somewhat the same a while back ago.
