Domain Controller behind pfsense NAT
-
@michmoor Despite the interface being called the WAN all of pfsense interfaces (LAN and WAN) are in a private network. None of them can be accessed through the internet.
-
@William-Bento-Rodrigues Well why make it pfsense "wan" then... Just make it another lan.. Then you don't have to worry about port forwarding and nat.. And you can just create firewall rules to allow what you wan..
-
@johnpoz as it's configured only for NAT1:1 the firewall rules are allowing all traffic. I'm not filtering anything. Just to make more clear the LAN interface is OT (automation) and WAN interface is IT (it's IT vlan). Despite it being two internal networks, we need to translate an OT device into an IT IP to allow remote desktop, patch and so on within the IT network.
-
@William-Bento-Rodrigues And does this "wan" get you to other networks? If not then its not a WAN..
Been many years since worked in the server area and AD, etc.. But your still doing nat.. And is this network your coming from setup in your AD even.. Just seems like a horrible setup for what reason other than complication and problems..
-
@johnpoz thank your for feedback but it's the client design. do you any idea how to make it work?
-
@William-Bento-Rodrigues So the client told you to make this the wan and pfsense and nat to our stuff behind it? or the client set this all up and called you to try and make it work?
As to how to make it work, yeah don't nat and set it up how any normal network would be setup ;)
Worked for a MSP for many years, 13 something - saw a lot of crazy customer setups... Never saw where some customer put their AD DCs behind a nat router to the rest of their network ;) Because well that is just insane..
-
@johnpoz said in Domain Controller behind pfsense NAT:
put their AD DCs behind a nat router to the rest of their network ;) Because well that is just insane..
ehhhh...I've seen it. Im living it now. We got IP overlap so we needed to DNAT or SNAT
-
@johnpoz pfsense is a legacy of the site.
-
@michmoor have you figured out a way to do it?
-
@William-Bento-Rodrigues
Depending on the traffic direction you will need to set up either a SNAT or DNAT.
In your example from "WAN" to LAN you need to set up a DNAT with the appropriate firewall rules. -
@michmoor thank you! would you have like screenshot on how to do it in pfsense?
-
@William-Bento-Rodrigues Forwarding port 53 would provide DNS, but the workstation would need to know to use that WAN IP…probably a domain override on the upstream router. But then AD DNS would respond with the DNS Server IP. Lots of monkeying around with that I’d think.
If you get it to work you’ll presumably need other ports too for instance SMB to pick up netlogon/group policy. Not sure exactly which are needed for the “join” part.
Setting up static routes to the server subnet without NAT seems easier…?
