How to use a Windows DHCP Server on LAN instead of pfSense DHCP Server?
-
Great news. Thanks to all of your help, I was able to setup the DNS and DHCP servers on my Windows Server 2012 Essentials box on my home network.
Now all LAN client PCs are getting DHCP IPs from my Windows server as expected and can access the internet. However, my windows server itself is still unable to browse the internet. I cannot seem to figure out what might be blocking that machine.
Any suggestions on how to determine that? It's baffling to me.
-
is still unable to browse the internet. I cannot seem to figure out what might be blocking that machine.
What web site sid you attempt to browse? What is reported when you attempt that?
What is reported when you point your browser to the IP address of the pfSense LAN interface?
What does the Windows system think is its default gateway?
-
wallabybob, any web site fails just as ping attempts to sites time out. For example www.google.com, microsoft.com, etc.
When the server attempts to browse the site, it acts as if the system doesn't have internet access. In fact, the server box (192.168.0.5) itself appears not to have internet access all around as other apps (usenet, crashplan, etc.) cannot found an internet connection.
The system thinks its default gateway is 192.168.0.1.
FWIW, all other client PCs on my LAN can access the internet fine thru the pfsense router so it must be something specific to this machine. A tracert to www.google.com from another client PC on my LAN returns:
Tracing route to www.google.com [74.125.227.146]
over a maximum of 30 hops:1 20 ms 33 ms 13 ms pfsense.localdomain [192.168.0.1]
2 * 21 ms 24 ms 10.54.16.1
3 28 ms 15 ms 26 ms 70.183.68.45
4 27 ms 28 ms * kscydsrj01-ae0.rd.ks.cox.net [70.183.71.85]
5 34 ms * 29 ms 70.183.66.246
6 34 ms * 33 ms 70.183.71.65
7 * 33 ms 45 ms 68.1.5.140
8 43 ms 55 ms 50 ms 72.14.212.233
9 44 ms 46 ms 33 ms 72.14.233.67
10 * * 60 ms 216.239.43.187
11 54 ms 41 ms 45 ms dfw06s17-in-f18.1e100.net [74.125.227.146]Trace complete.
A tracert from the server (192.168.0.5) to www.google.com goes to pfsense.localdomain then times out. Doesn't appear to leave the router?
-
But you say it works if its dhcp. You sure your not blocking .5 in your lan rules? Or are you doing something wrong with nat and the .5 address?
-
OK - so after additional troubleshooting, it appears that as soon as I add a NAT > 1:1 mapping from one of my ISP's static public IPs to my windows server box of 192.168.0.5, the 192.168.0.5 is losing outbound internet access.
If I then reboot pfsense, it restores internet connectivity for 192.168.0.5 for a few minutes but quickly disconnects until rebooted again. Whereas, if I then remove the 1:1 mapping and reboot, connectivity is once again restored.
Ultimately, I am wanting to register one of my static ISP public IPs to my 192.168.0.5 so that I can RDP into the server from the internet by way of it's ISP public IP.
Should I be doing this differently?
-
So do you have static IPs? Thought you said you got your IPs from you cable modem via dhcp?
Accessing your server behind pfsense does not require a 1:1 nat - just port forward 3389 (remote desktop) to your servers private IP.
I would suggest you vpn to your pfsense box, and then you can access whatever you want on the inside of your pfsense. VPN going to be more secure than just rdp open to the public.
-
Yes - I apologize for the confusion. My ISP has issued me 5 static IPs. Call them 200.x.x.1, 200.x.x.2, etc.
Prior to using my Windows Server (LAN IP 192.168.0.5) as a DHCP and DNS server, I used pfsense's built-in DHCP server. At that time, I was able to:
1.) setup Virtual IPs of 200.x.x.1, 200.x.x.2, etc. (I used the IP Alias option there)
2.) Go into NAT > 1:1 and map a WAN IP to a LAN IP. For example: 200.x.x.1 would point to 192.168.0.5
3.) Use Firewall > Rules (WAN) to define ports so that WAN access to 200.x.x.1:3389 would go to 192.168.0.5:3389However, since I've disabled pfsense's DHCP server in favor of running DHCP on 192.168.0.5, when I try to do this, it completely blocks all internet access (both directions) to 192.168.0.5. For example, if I now point NAT > 1:1 of 200.x.x.2 to 192.168.0.5 for FTP, web access, etc., suddenly the 192.168.0.5 box can no longer access the internet until I remove the NAT > 1:1 mapping.
Can't figure out how to point public static IP 200.x.x.1 to 192.168.0.5 without using Virtual IP and a NAT 1:1 mapping. Perhaps under Virtual IP I should be using CARP or something other than IP Alias, but I'm a bit unclear. Hope this helps. Thanks again!
-
However, since I've disabled pfsense's DHCP server in favor of running DHCP on 192.168.0.5, when I try to do this, it completely blocks all internet access (both directions) to 192.168.0.5.
It is hard for me to imagine how enabling/disabling DHCP server on LAN would allow/block internet access from 192.168.0.5. Perhaps there is something else you are doing that you haven't told us yet.
-
"1 WAN interface obtaining DHCP IP from cable modem."
"My ISP has issued me 5 static IPs. Call them 200.x.x.1, 200.x.x.2, etc."You sure about that?? That your static IPs are active? Are they in the same segment as the IP you get via dhcp? Normally if you got static IPs from your ISP you wouldn't be using dhcp on your wan interface but static with one of the IPs you got.
I am thinking your getting say a 24.13 or something address via dhcp, and then your trying to use a 200. address as your public for your 1:1 – which no prob not going to work.
Setup pfsense with first IP in your static -- get that working, then you can do your 1:1 setup.
I have never ever heard of using dhcp on wan, and then adding static assigned IPs?? Makes no sense at all.
-
That your static IPs are active?
It would be a problem with 1:1 NAT and those static IPs inactive. But this setup supposedly works if DHCP server is enabled on pfSense LAN! How does DHCP server affect ISP routing to those static IPs? :)
I have never ever heard of using dhcp on wan, and then adding static assigned IPs?? Makes no sense at all.
Always get the same address from DHCP?
-
your not using .5 when your dhcp now are you - so that 1:1 nat would not be active.
Are you saying you setup the 1:1 nat with the dhcp address you get and that works??
I just don't see how your wan is dhcp and then your adding static vips to that.. That just makes no sense at all!
-
Sorry, to clarify, 192.168.0.5 is my win server. So it's my DHCP and DNS server address. My LAN DHCP range is 192.168.0.10-20.
Should .5 be a reservation within my DHCP range? In other words, 192.168.0.5-20? -
no that has nothing to do with your issue of your 1:1 NAT on static while your wan interface is using dhcp. When you use dhcp your getting say .10 which is not using your 1:1 nat to your static that doesn't work. Which would then prevent your win server from going out when using the 1:1 nat that is not working.
-
Turns out my original set of static IPs from my ISP were bad all along. They've since issued me a new block of 5 IPs. The first static IP in the series has been accepted by pfsense WAN interface (static) as expected along with the netmask and gateway. All the issues that previously "didn't make sense" were due to the invalid static IPs I had been issued.
Not only am I back online with a static WAN IP, but my NAT 1:1 mapping is working with the other static IPs in the range as I had hoped.
Thanks to everyone for helping me to determine the root cause of the issue.
-
Turns out my original set of static IPs from my ISP were bad all along.
That explains why it didn't work. However it doesn't explain why it worked/notworked according to whether pfSense DHCP server was disabled/enabled. Can you explain that?
-
Yeah it does, because he using dhcp for his wan IP. This worked, but setting his 1:1 nat to some static that was not valid. So when he set ip to .5 for the 1:1 nat does not work.
When set to dhcp and got .10 address not 1:1 nat and used his dhcp gotten wan IP to get to internet worked just fine.
-
Yeah it does, because he using dhcp for his wan IP. This worked, but setting his 1:1 nat to some static that was not valid. So when he set ip to .5 for the 1:1 nat does not work.
When set to dhcp and got .10 address not 1:1 nat and used his dhcp gotten wan IP to get to internet worked just fine.
Thanks.