Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash)

mcury

@johnpoz I see your point.
I have been doing what I described above for a few years and no problems so far.

But next time, I'll check that bind option indeed.. Point users to AD and check how it goes.

johnpoz

@mcury Sure if you know what your doing and how to setup domain forwards in unbound, etc, you can can have all your AD resolve, etc. But if your a MS shop, and your running AD.. It is cleaner to have your dns and dhcp via the AD.. What happens with filtering for dns records can either happen there in your AD dns.. or you can forward for your external filtered records to something that filters - be that pihole or unbound, etc.

Like said there are many ways to skin a cat ;)

mcury

@johnpoz said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

Like said there are many ways to skin a cat ;)

Indeed :)

johnpoz

@mcury personally I am what is good for the goose is also good for the gander.. If I am going to "filter" something - then all things should be filtered..

If there is some resource that should be able to resolve something, why would I filter it for just some and not all - the thing is either bad or its good.. Filtered or not filtered.. Not a fan of oh you can not lookup that fqdn, but my other device can..

You also have to keep in mind when your going to filter for some and not for others - that you don't run into a caching issue where client A looks up something and he is not filtered, and now that something is cached so when client B asks for it - guess what he gets the answer from cache, when it should of been filtered for him, etc.

Something is either filtered or not filtered - if you find you need to be able to resolve something or get to something for something to work.. Guess that something shouldn't be filtered in the first place, and all things should be able to get to it..

mcury

@johnpoz Me too, but sometimes that depends on what the customer needs.
Squid requires so much maintenance that I'm not using it anymore, and some customers asks for web filtering.

In this situation, I'm using pfblockerNG to create a few block lists, create a GPO to block DOH, DOT, QUIC, in the browsers..
For the managers or VIPs, I just put them in the python bypass in DNSBL.

Sometimes, when I need multiple filtering groups, I go for Squid but I only set it in the browsers, to avoid some applications problems.
Explicit, with some bypasses directly from the client or using PAC, or directly in the browser configuration.
When I do like this, I force the use of the proxy by GPO, not allowing the user to change this setting.

johnpoz

@mcury said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

Sometimes, when I need multiple filtering groups

Maybe some education of your clients is what is needed here.. But yeah filtered of groups sometimes in a work setup is prudent.. While you might trust salaried guy to not spend his time shopping amazon while suppose to be working, while some group machine sitting on the plant floor that anyone can just walk by, etc.

Still not a fan of playing internet nazi, but yeah sometime customers don't get it. So you think keeping the plant floor machine from going to amazon stops them from going to amazon? They prob just use their phone if the computer can't get there.. Just like boss man could..

If it filtered it should be filtered for all, if its open - then its open for all.. I use to run web filtering for a large corp for many years, and they finally wised up and just used the same filtering set for all, vs like 5 different goups - oh these guys can go to shopping, these guys can only during lunch, etc. etc.. It just over complicates everything, and just leads to problems in all aspects - more work for the IT, more frustration for others - why can billy go to xyz.com while susan can't etc. etc.

They went with policy of group type kiosk machines out on the floor were just limited to specific whitelist internet a few external sites like insurance website, etc. And then they could get to anything on the intranet.

If you figured out a way to skin the cat to give the customer what they asked for then great.. But depending on the breed and size of the cat - there are always going to be multiple ways to skin it to make what you want out of the skin ;)

mcury

@johnpoz said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

If you figured out a way to skin the cat to give the customer what they asked for then great.. But depending on the breed and size of the cat - there are always going to be multiple ways to skin it to make what you want out of the skin ;)

That is it.. :)

bearhntr

You have all give some great ideas. In my current setup - I have pfSense immediately behind the Comcast modem , then from pfSense there is my Netgear Orbi (as my home has no wiring; yet, for Ethernet) and the Orbi has a satellite in the other end of the house (my office - with 4 ports and those are providing wired Ethernet to my personal and work computers); but for all intents everything in wireless in the home - one day that will all change. On pfSense I have CloudFlare DDNS setup which allows me access to my HomeAssistant with my own domain hosted at CF.

I would like to at some point use pfBlocker or some other filter adBlocker, but not gotten that far yet. My work role changed and thus the need to stand up some server and workstation VMs using AD/LDAP for signing on, etc.

pfSense is running on a stand-alone HP ThinClient and currently the Server 2019 I was going to use as AD/DS is on a Proxmox VM - which also has 2 other Server installs and 2x Windows 10, 1x Windows 7 and 1x Windows 11 VMs (lab).

Should I look to put the AD/DS on its own box - I do have a spare server (older) which on-board NIC and a 4-port PCI Ethernet card installed.

Looking for best suggestions to make this all work - and try to keep the lab and the home separate (not super familiar with VLANs - yet). Home uses a 10.9.28.1/24 network and was thinking that I would use 10.100.28.1/24 for Lab. But I would also like to make sure that "if I want/need to" - I can access lab from home network.

I know that during the installation of the AD/DS it will install DNS and it really needs to be setup to make things work best.

Currently pfSense looks like this - and has the roles of DNS, DDNS, IPv4 and IPv6:

bearhntr

I am also going to need at some point to setup a CA for the lab.

My real goal would be to have AD/DS logins for everything - which I realize means a HOME and a LAB Domain (or a sub-domain for one of them under the other).

bearhntr

@bmeeks and @SteveITS

Just a mind-scratcher for me. I have my own domain (to the Internet) that Google is my provider - for the next 2.5 years then may move. CloudFlare requires this.

Am I able to:

a) use that domain when I setup my DC? Is it going to cause fits?

b) somehow setup a sub-domain (will I need another DC or something else) to separate my home machines from the proposed lab?

Thanks in Advance

bmeeks

@bearhntr said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

a) use that domain when I setup my DC? Is it going to cause fits?

While "fits" may be a bit strong, it would most definitely cause you a lot of heartache and thus should be avoided. Don't use your public domain for your private Active Directory domain.

The proper way to do this is with a sub-domain. So, for example, if your public domain currently registered with Google is mydomain.com, then your Active Directory domain on your LAN would be internal.mydomain.com. There are a few other ways to name, but all suggest a sub-domain. Here is a TechNet article about this: https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx.

And yes, you need a separate domain controller for each Active Directory domain (including subdomains). You can't host multiple domains on the same domain controller. So, if you want a lab internal domain, then it will need its own domain controller separate from other domain controllers for your LAN.

bearhntr

@bmeeks

Thank You - That is what I was thinking, but wanted some assurance.

So one more question. Do you think I should setup a VLAN in pfSense - put it on another port of the 4-port NIC in my pfSense box, and use that specifically for the lab domain? I can clone the current 2019 VM (it has not yet been promoted or even added DC role), and make it the DC for lab). Then put that VM on another port of the 4-port NIC in that box.

johnpoz

@bmeeks said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

Don't use your public domain for your private Active Directory domain.

This is so true... I just had to help a buddy work through an issue related to this at his new job. Their public site moved to a new hoster, and the new hoster had a redirect for www.domain.tld to domain.tld

While they had setup in their proxy for www.domain.tld to go via the proxy, domain.tld was direct so they could get to local resources.. Well guess what that broke with that redirection the new host setup..

Simple solution was them to have the host turn off redirection, so when your in the office you had to use www.domain.tld but if out on the public you could use www.domain.tld or domain.tld and get to the site.

it is not a good idea to use the same domain externally as your going to use internally.. Either use a different tld, so domain.com outside and domain.net internally or sub domain domain.com external and say local.domain.com internally, etc.