pfSense DNS Configuration

I have been running a home lab for quite some time now. Being a software engineer, I wanted to have self-hosted state of the art tools both for continuous learning and for my own personal side projects. One of the things I lacked, however was a sufficient security posture.

To solve this problem, I have chosen to utilize pfSense. pfSense is an open source security software which provides firewall, intrusion detection, intrusion prevention, and many other features. Its setup is relatively straightforward, but I did have some issues that I needed to work through regardin DNS.

I chose to run pfSense in a small form factor fanless appliance. Installation of the software required downloading the pfSense image to a USB drive and then following through the on-screen setup. I configured the Wide Area Network (WAN) and Local Area Network (LAN) interfaces as needed and then replaced my old router with the appliance.

I have other DNS servers running on my network. I have an ad-blocking DNS and a DNS which runs in my Windows Server instance. The idea was to have the pfSense DNS Resolver use the ad-blocker as its upstream server. Then use the Windows instance for upstream to the ad blocker. And finally, use Google’s public DNS as the upstream for the Windows instance.

This configuration just did not want to work. I continuously received timeouts when querying sites which I knew were available. At first, I thought it may have been the appliance because I could replace it with my original router and all would work fine.

Ad Blocker Dashboard

As you can see from the image above, I was able to get everything working the way I wanted, but I did have to make some minor changes. I reversed the order of my DNS servers. In the DHCP setting of my appliance, I set the ad blocking DNS as the root DNS for my network. The ad blocking DNS uses the Windows server as its upstream and the Windows server uses pfSense as its upstream. Finally, the appliance uses Google’s public DNS for its upstream. In this configuration, as client devices renew DHCP leases they pick up the ad blocker as their DNS and queries are routed properly. This gives me the DNS protection I want and also allows proper queries for network.

Piwigo an Open Source Photo Gallery

From their website, piwigi.org, Piwigo is an open source photo gallery software for the web which is designed for organizations, teams, and individuals. This article details the installation process for Piwigo on CentOS 7.

1. Install the LAMP Stack and Dependencies

The Linux, Apache, MySQL/MariaDB, and PHP stack is a basic stack which enables serving PHP based web applications. For CentOS, the database is MariaDB. For our installation, we want to install the latest version of PHP so we will install the epel repository, add the remi repository for CentOS 7, and disable any versions of PHP less than version 7.

# yum install epel-release
# yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
# ls -l /etc/yum.repos.d/
# vi /etc/yum.repos.d/remi-php54.repo (enabled=0)
# vi /etc/yum.repos.d/remi-php72.repo (enabled=1)

The following command will install everything necessary for Piwigo including the LAMP stack and other dependencies.

# yum install httpd mariadb mariadb-server php php-mysqli php-gd php-fpm php-devel php-pear gcc ImageMagick ImageMagick-devel unzip wget rsync pwgen curl

2. Enable Apache and MariaDB

After installing the dependencies, you need to start and enable Apache as well as MariaDB.

# systemctl start httpd mariadb
# systemctl enable httpd mariadb

3. Create Piwigo Database and Database User

Next, configure the root password for MariaDB and create the database and user for Piwigo. In the scripts below <password> is changed to the password of your choice.

# mysql_secure_installation
# mysql -u root -p
> CREATE DATABASE piwigo_db;
> CREATE USER 'piwigo_user'@'localhost' IDENTIFIED BY '<password>';
> GRANT ALL PRIVILEGES ON piwigo_db.* TO 'piwigo_user'@'localhost';
> FLUSH PRIVILEGES;
> EXIT;

4. Install Piwigo

Now we can obtain the latest version of Piwigo using curl and then move it into the Apache web folder.

# curl http://piwigo.org/download/dlcounter.php?code=latest -o piwigo.zip
# unzip piwigo.zip
# mv piwigo /var/www/html
# chown apache. -R /var/www/html/

5. Make Changes for SELinux

You can handle SELinux in two ways. First you can simply just disable SELinix. A better way would be to have SELinux allow the files in our Piwigo directory.

# cd /var/www/html/piwigo/
# chcon -vR --type=httpd_sys_rw_content_t .

6. Completing the Web Installation

After all of this, you simply navigate to the root of your web installation (http://ip-address) and enter the credentials for your database and click Start installation.

7. Modify Time Zone

There are issues that may arise with the timezone if it is not set in the php.ini file. To correct any of these problems modify the date.timezone parameter in the file with the appropriate value.

# vi /etc/php.ini

In this article, I covered the basics of installing and configuring the open source image gallery Piwigo. The installation here covers an instance without SSL. In a future article, I will discuss the addition of SSL using reverse proxy and the changes that are necessary to keep Piwigo operating properly.