19 August 2024
Gull Rock Trail
10 August 2024
AREDN Mesh Access via PFSense Firewall
After several months of wrestling with integrating an AREDN node into my home network, I finally arrived on an iteration that I think I am content with. It isn't perfect, and I will detail the limitations below, but to sum it up, I am treating the AREDN node as a second WAN, with a bit of tomfoolry to get DNS working properly.
This guide will only allow for access to resources on the mesh. It will not allow access to the wider internet via the mesh.
Most of the configuration followed the PFSense dual-WAN guide word for word (which can be found here). As seen in the screenshot above, the connection is set up as DHCP. One area where I deviated from the guide is unchecking both boxes under the 'Reserved Networks' header, as AREDN utilizes the 10.0.0.0/8 private address space. On a side note, your home network better not be using the same address space or you're probably going to have a bad day.
The most important key to making all this work is DNS. If you try and enter your AREDN node's IP address as a DNS resolver for the AREDN connection gateway, PFSense will puke out an error. This leads to my workaround utilizing PFSense's internal DNS resolver, Unbound.
In PFSense 'services' menu, select 'DNS Resolver' and scroll all the way to the bottom where you will see the header 'Domain Overrides'. Add an override for the domain "local.mesh" pointing at the IP address of your local AREDN node. This allows unbound to redirect all DNS queries ending in local.mesh to the mesh node.
And that's it! Point your browser at your node and browse around the mesh to make sure everything works as expected. Note that this is not a perfect solution. For example, if you host a service behind PFSense that you also wish to expose to the mesh, you will have to add a second set of rules to expose that device and specific port. In that scenario, it would also be beneficial to add a static IP in your mesh node as well. However, for simple access to the larger mesh, this solution is hard to beat.
~ moose