Site-to-Site OpenVPN's with AD DNS
-
Name the screenshot or configuration you want attached and I will gladly provide them to help resolve the issue.
I believe the issue is DNS related as specifying the DNS at main site directly into the DHCP settings at the remote sites works perfectly. I would like to use dns resolver/forwarder though so I can do a couple domain over rides.
-
Anyone have any suggestions?
Maybe this isn't DNS issue but I'm open to any possibly solutions or troubleshooting tips.
-
I have the following checked off at remote sites if that helps:
Do not use the DNS Forwarder as a DNS server for the firewall
-
I'm sorry but based on your writing, I was expecting some attached file showing, e.g. tracert. There is nothing.
Furthermore, and this is to me the main problem, you do not really describe what the problem is, I mean with enough technical detail.Basically, what I understand from your first post is that "you can access exchange" but this doesn't provide any error message or whatever that could be used to investigate further.
- did you look at FW logs?
- does this kind of problem occur only with exchange? (i.e. are you able to access other remote services?)
- like for DNS, you tell "FW rules are full open": could you please take a screen-shot and post it here?
-
From remote sites according to the pfsense box DNS is correct, however all aspects of exchange is unavailable.
At the main site, I have forward lookup zones in the Windows based DNS server so anytime anything local device looks up the external A address (mail.domain.com) it actual makes it point to the LAN address of exchange(standard practice so mobile devices aren't looking externally to access mail when on the internal network). To test this is working, here is a DNS lookup from a pfsense box at a remote site:
mail.domain.com = 192.168.17.7 (correct address for exchange at main site, so obviously the pfsense is doing proper lookups to the windows DNS server at main site)
Accessing OWA from https://mail.domain.com/owa fails to load and errors out. Trying to fetch main from a mobile device which also should be pointing to the LAN address of the exchange server at main site, fails. Points to the right address, however is unable to connect for whatever reason. It appears DNS is functioning perfectly as planned, however without exchange functionality which happens to be the main point of doing this.
OpenVPN rules are as follows
Protocol: IPv4
Source: Any
Port: Any
Destination: Any
Gateway: AnyOn both sides of the VPN and at all sites.
Windows firewall turned off on all VM's including exchange server. No other firewall in place hardware or software.
I've spent hours trying all sorts of various changes and troubleshooting without any success. I've had this work before without issue. Only thing I am not sure on trying is on the general setup page whether or not the checkbox for the following should be checked off or not:
Do not use the DNS Forwarder as a DNS server for the firewall
Also, is this disabling the caching of the unbound DNS are remote sites having this disabled, and also if the LAN address of the pfsense needs to be specified in the DHCP server section or not.
-
Here's the pics of the remote pfsense box.
Main site - 192.168.17.0/24
Windows DNS - 192.168.17.6Remote = 192.168.18.0/24
Where domain.local, actual domain name is.
-
Based on what you explain, from DNS viewpoint, it looks OK. Then, still based on your explanation, you're facing issues with OWA (HTTPS) only. (BTW, what kind of issue. Still not clear to me :( "for whatever reason" doesn't provide any error message ::)
Assuming your site-to-site set up works smoothly for everything else, this can't be related to routes (however, I would happily check this twice because lookup being fine doesn't mean route is OK :P), you should focus on HTTP stack.
- e.g. are you using HTTP proxy ?
-
I'll try to get a screenshot of that tomorrow from the remote site.
Browsing to the OWA portal for exchange webmail fails at remote site, as well as trying to connect with the FQDN. Doing the DNS lookups from the pfsense box shows everything is pointing to the right place. Why it can't access it is beyond me.
Is there any possibility it's because I have Do not use the DNS Forwarder as a DNS server for the firewall checked off?
I've done this setup before and everything worked beautifully. Trying to remember every single setting I had and replicate it to the old setup which worked perfectly.
Only other thing I'm doing is putting these on both sides of the tunnel to fix the dropouts and slow speeds:
tun-mtu 1472;fragment 1400;mssfix
-
Well, how to explain this? ???
It seems you focus on this specific setting. Trying with and without is very easy. Just do it and you will quickly know if to does the trick or not.I personally would prefer to understand rather than trying different settings here and there :-[
I'm not sure if I'm the only slow and faulty or if this is a matter of language but your explanations are very strange to me:
[quote]Browsing to the OWA portal for exchange webmail fails at remote site, as well as trying to connect with the FQDNFrom this, I understand that is works, however, using IP but this is totally unclear.
Plus, unless I'm wrong, perform tests from pfSense as well as from remote devices. If you decide not to use pfSense as tour DNS server, why would lookup from pfSense tell you anything about lookup from device? And again, are you using HTTP proxy ?You also try to fix multiple problems in parallel. Are you saying that you VPN tunnel is not stable ? Are you using UDP or TCP?
What's your network in between? -
I don't understand what are you doing here. You point the clients to the AD DNS servers. Not pfSense. Those servers have all required SRV etc. records for Exchange. The pfSense forwarder/resolver does not.
-
I don't want the clients doing every DNS lookup over the tunnel. There's got to be a way for the DNS resolver at the remote site to cache the records from the AD DNS. I've had it working before, whether it was a different pfsense setup than before I'm not sure. Only thing I can for sure remember was that before the pfsense box at the remote site was running version 2.1 and had the package of unbound installed. Now running 2.2 which has it already installed. Whether there is a difference between the unbound package on those two versions possibly.
No there isn't a proxy anywhere on any of the networks.
Here's a screenshot of trying to access OWA from a client at the remote site:
-
Just for anyone else finding this topic, the resolution was to downgrade to pfsense version 2.1 install the unbound DNS package, set it up exactly as I did before and it works beautiful again.
The Unbound version included in pfsense version 2.2 doesn't seem to be the same package whatsoever.
Finally glad to have this resolved.
