Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash)
-
@bearhntr last question first, if pfSense is the DNS server it should forward queries for the network domain to Windows DNS. We generally just have Windows provide DNS and DHCP.
If ha.mydomain.com is not your Windows network domain then it’s irrelevant.
There’s no need to connect pfSense with AD. Perhaps RADIUS authentication for VPN?
-
@bearhntr said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):
OK makes sense...so here is where I am confused.
-
My HomeAssistant is accessible via CloudFlare both in my home and outside with the same URL (ex. https://ha.MyDomain.com) Both inside and outside take me to the same place. Would I have to change anything for "internal" (saying I chose sub-domain of AD or INT)?
-
Would I (or should I) setup pfSense with an AD login (LDAP)?
-
Which would be best as for setting up DHCP and DNS? Currently pfSense is doing all of that for IPv4 and IPv6. (cause me the least amount of headaches)
Why specifically do you want to achieve by using Active Directory and the Windows Server DHCP and DNS services? What are you expecting there that pfSense does not already provide for your network?
Setting this up is not hard, but it does require a rather full understanding of how DNS works, the difference between DNS resolving and forwarding, what authoritative DNS really means, etc. It also requires a good foundation in Microsoft's Active Directory configuration and management.
For a home network, I see absolutely no advantage of configuring AD LDAP for pfSense login. RADIUS perhaps for remote VPN access authentication, but even that is not really necessary for a home network in my opinion. It is very easy to make your network so complicated that it becomes unstable or unusable.
-
-
Apologies for the late response - I did not see that your response was out here.
I am looking to have a central user base - logins for various systems. I am not specifically 'locked' into Windows AD - as I happen to know it, that is why I was looking down that path. I am familiar with setting up the AD environment (in most cases) -- but more in an office lab environment where there is already an established DNS and Internet Gateway.
I know there are other LDAP methods, what specifically I am looking for is to be able to setup things like HomeAssistant, pfSense, NAS, and a few other systems with a single "domain" login and password - rather than individual logins on each of them. If that makes sense.
As I work from home, and need the setup of a 'lab' domain to test various softwares and configurations - on VM servers - this is why I am looking to possibly setup an AD environment.
-
@bearhntr said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):
Apologies for the late response - I did not see that your response was out here.
I am looking to have a central user base - logins for various systems. I am not specifically 'locked' into Windows AD - as I happen to know it, that is why I was looking down that path. I am familiar with setting up the AD environment (in most cases) -- but more in an office lab environment where there is already an established DNS and Internet Gateway.
I know there are other LDAP methods, what specifically I am looking for is to be able to setup things like HomeAssistant, pfSense, NAS, and a few other systems with a single "domain" login and password - rather than individual logins on each of them. If that makes sense.
As I work from home, and need the setup of a 'lab' domain to test various softwares and configurations - on VM servers - this is why I am looking to possibly setup an AD environment.
Sounds like what you really want is Single Sign-On (SSO). Windows AD can certainly provide that feature, but only if all of your devices/services are compatible with Active Directory. Not everything will work with Active Directory credentialling (at least not in native AD). More stuff is likely to work with Radius or maybe LDAP that in turn uses a Windows AD backend.
I did a quick Google search for HomeAssisant and Active Directory or LDAP integration. Some things I found suggest it is possible- with some work- to get LDAP to work. But I did not find a ready-made tutorial. That tells me maybe it does not actually work well yet. The LDAP functionality of Active Directory is not necessarily "standard" as is the case with most things Microsoft implements to sort of mimic a published standard. Things like that frequently almost work correctly, but just not 100% correctly
.Kind of the same thing with a NAS. How well it works with AD authentication is going to be determined by the level of support the underlying operating system of the NAS has for Samba/Active Directory. Some Linux-type systems are better at this than others.
-
We run this scenario at a client using Windows server as DHCP and DNS using pfsense only as a Firewall :)
Works no issues.
-
Thanks - I think what I really want is to have DHCP and DNS on pfSense, and maybe Windows Server 2019 Domain Controller as a backup to DNS. Since the majority of my home machines and lab machines will be Windows 7, 10, 11 and other servers - I truly feel this is the way I should go.
I am really hoping that I can get it all setup and working, as I would like to have single sign-on methods using AD (LDAP). Shame I could not do the same thing for all of these streaming services, banking and other web-based logins.
-
@bearhntr Windows DNS is much better.
Use only pfsense as GW and FW if you have the choice.
-
@bearhntr said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):
lab machines will be Windows 7, 10, 11 and other servers - I truly feel this is the way I should go.
Which are windows.. Why would you not just use windows as your dns and dhcp? Especially if your going to run an AD, be it these machines are actual members of the AD or not, if your going to resolve and use AD in your setup.
Pfsense dhcp and dns is great when you don't have anything else to use.. But if your MS shop, and have windows servers running already then why would you not just leverage it for dhcp and dns - this makes it much easier to all your AD stuff resolving correctly, etc.
-
Windows Server 2019 Domain Controller as a backup to DNS
As noted above set a domain override to forward AD queries to Windows or you’ll have problems. (Login failures, slow login, group policy not found, etc.)
-
@johnpoz Although it works great using AD DNS/DHCP, you will face some problems with pfblockerNG DNSBL and/or pihole.
You won't be able to know what IP is being blocked because all of them will reach pfsense using AD IP.In this situation, I enable DHCP relay in pfsense and use DHCP from AD, in which will register A and reverse entries.
For users, I use DNS from pfsense, but there I create domain override and networks reverse entries.It's working fine for a few customers..
Edit: Using AD DNS will also create a problem with DNSBL bypass.
-
@mcury said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):
you will face some problems with pfblockerNG DNSBL and/or pihole.
Nope, not an issue.. your clients point to your AD for dns, then your AD forwards to unbound, or shoot even forwards to your pihole, and then pihole forwards to unbound so you can use both pihole and pfblocker, etc.
with DNSBL bypass.
For clients you don't want to be filtered by unbound. Create a conditional forwarder in your AD dns that sends them somewhere else for dns that is not filtered by unbound. Say bind running on your pfsense that running on a different port even.
-
@johnpoz When you check the Reports tab in pfblockerNG, all you can see is the AD IP as source of the connections.
-
@mcury see my edit... Yes all stuff going to unbound from your AD would be from the AD IP, but you can create a conditional forwarder that sends clients asking AD that you don't want to be filtered to go somewhere else for upstream dns, etc .
-
@johnpoz said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):
For clients you don't want to be filtered by unbound. Create a conditional forwarder in your AD dns that sends them somewhere else for dns that is not filtered by unbound. Say bind running on your pfsense that running on a different port even.
Hmmm, that is another option too.. -
@mcury said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):
Hmmm, that is another option too..
There are always multiple ways to skin a cat.. But if your running AD, it makes sense to use that is as your first DNS, and also have it hand out dhcp.. And then skin the cat using that for whatever other thing you want to do with the skin.. Make a coat, or a purse, etc.
You could have your AD resolve even, and for stuff you want filtered use a conditional forwarder for those clients that forward to unbound/pihole, etc.
If everything is using your AD for dhcp and dns, this would be first stop to resolve all local resources - what happens after that you can configure in the AD dns - be it forwards to something that filters, be it forwarded to something that doesn't or even just resolve.
But when you run AD, clients of the AD should use it for dns and dhcp - this makes AD run easier and smoother.
-
@johnpoz I see your point.
I have been doing what I described above for a few years and no problems so far.But next time, I'll check that bind option indeed.. Point users to AD and check how it goes.
-
@mcury Sure if you know what your doing and how to setup domain forwards in unbound, etc, you can can have all your AD resolve, etc. But if your a MS shop, and your running AD.. It is cleaner to have your dns and dhcp via the AD.. What happens with filtering for dns records can either happen there in your AD dns.. or you can forward for your external filtered records to something that filters - be that pihole or unbound, etc.
Like said there are many ways to skin a cat ;)
-
@johnpoz said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):
Like said there are many ways to skin a cat ;)
Indeed :)
-
@mcury personally I am what is good for the goose is also good for the gander.. If I am going to "filter" something - then all things should be filtered..
If there is some resource that should be able to resolve something, why would I filter it for just some and not all - the thing is either bad or its good.. Filtered or not filtered.. Not a fan of oh you can not lookup that fqdn, but my other device can..
You also have to keep in mind when your going to filter for some and not for others - that you don't run into a caching issue where client A looks up something and he is not filtered, and now that something is cached so when client B asks for it - guess what he gets the answer from cache, when it should of been filtered for him, etc.
Something is either filtered or not filtered - if you find you need to be able to resolve something or get to something for something to work.. Guess that something shouldn't be filtered in the first place, and all things should be able to get to it..
-
@johnpoz Me too, but sometimes that depends on what the customer needs.
Squid requires so much maintenance that I'm not using it anymore, and some customers asks for web filtering.In this situation, I'm using pfblockerNG to create a few block lists, create a GPO to block DOH, DOT, QUIC, in the browsers..
For the managers or VIPs, I just put them in the python bypass in DNSBL.Sometimes, when I need multiple filtering groups, I go for Squid but I only set it in the browsers, to avoid some applications problems.
Explicit, with some bypasses directly from the client or using PAC, or directly in the browser configuration.
When I do like this, I force the use of the proxy by GPO, not allowing the user to change this setting.
