PFsense unable to connect to internet + AD DNS problems

thetechguy

Please forgive me as my knowledge is not the strongest when it comes to DNS,

I have PC with PFsense installed that is sitting in between two modems and an SBS 2008 server with multi-wan load balancing configured.

The SBS 2008 server is running DNS and the PFsense box is handling the DHCP, the initial problem I had was users on the internal lan network could not see the AD server / auth issues and if I manually configured the primary DNS server on the client pc as the the AD/SBS server then those issues would go away, but then internet problems arise like external urls not resolving so I manually ad in the PF sense box as the secondary DNS server and all is well again.

In PFsense under DHCP server> DNS Servers I added in the IP of the AD DNS server first then the PFSense IP second but it doesn't appear to be updating on the client machines and I have to enter them manually on each client pc.

On top of this the PFsense machine itself is unable to access the internet (can't check for updates or install packages) but computers on the client network access the internet fine.

Do I need to set up DNS forwarding? I am trying to find the best practice for what I have setup so far and would appreciate any advice you might have to offer ;)

thetechguy

Update: I have tried to ping pfsense.org from the PFsense diagnostics and this was the result:

PING pfsense.org (208.123.73.69): 56 data bytes

–- pfsense.org ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Strange as it appears the domain translated correctly but didn't ping.

muswellhillbilly

Do you have a router running between the PFS and the internet? And are your internal clients and servers using the PFS as their default gateway out? Post a diagram of your network (in detail, please), along with your firewall settings and the DNS settings for both your SBS server and the PFS.

thetechguy

I do not have any routers running in between PFsense and the AD Server / Network, only a switch.

I just noticed that the SBS server did in fact handle DHCP but the service was stopped due to a conflict with PFsense, I have disabled the DHCP service on PFsense and restarted the one on the AD server.

I assume that now I need to have DHCP relay enabled in PFsense and pointing to the SBS / AD's DHCP sever?

I have done so but cannot start the DHCP service as it gives me the following message:

Feb 16 10:26:56 php-fpm[53550]: /pkg_mgr.php: XML_RPC_Client: Connection to RPC server packages.pfsense.org:443 failed. Operation timed out 103
Feb 16 10:26:56 php-fpm[53550]: /pkg_mgr.php: XMLRPC communication error: Operation timed out
Feb 16 10:32:57 php-fpm[53701]: /status_services.php: The command '/usr/local/sbin/dhcrelay -i alc0 192.168.0.2' returned exit code '1', the output was 'Internet Systems Consortium DHCP Relay Agent 4.2.8 Copyright 2004-2015 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on BPF/alc0/00:25:22:ea:c4:78 Sending on BPF/alc0/00:25:22:ea:c4:78 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-bugs at isc.org mailing list, please read the section

I have also uploaded a current network map

![16-02-2016 11-10-21 AM.png_thumb](/public/imported_attachments/1/16-02-2016 11-10-21 AM.png_thumb)
![16-02-2016 11-10-21 AM.png](/public/imported_attachments/1/16-02-2016 11-10-21 AM.png)

thetechguy

Also here is a copy of my firewall rules, if you require any more detail to the network map then please let me know :)

![16-02-2016 11-14-51 AM.png_thumb](/public/imported_attachments/1/16-02-2016 11-14-51 AM.png_thumb)
![16-02-2016 11-14-51 AM.png](/public/imported_attachments/1/16-02-2016 11-14-51 AM.png)
![16-02-2016 11-15-09 AM.png](/public/imported_attachments/1/16-02-2016 11-15-09 AM.png)
![16-02-2016 11-15-09 AM.png_thumb](/public/imported_attachments/1/16-02-2016 11-15-09 AM.png_thumb)
![16-02-2016 11-15-42 AM.png](/public/imported_attachments/1/16-02-2016 11-15-42 AM.png)
![16-02-2016 11-15-42 AM.png_thumb](/public/imported_attachments/1/16-02-2016 11-15-42 AM.png_thumb)
![16-02-2016 11-15-59 AM.png](/public/imported_attachments/1/16-02-2016 11-15-59 AM.png)
![16-02-2016 11-15-59 AM.png_thumb](/public/imported_attachments/1/16-02-2016 11-15-59 AM.png_thumb)

muswellhillbilly

What is the default gateway on your PFS set to? What are you using for DNS forwarders on the SBS server? And have you disabled the 'block private IP' option on the WAN interface?

thetechguy

Well I got it resolved, turned out that I just needed to restart the pfSense machine after changing it from a DHCP server to a DHCP relay.

Default gateway on PFsense is set to 192.168.0.1

I am not running any DNS forwarders on the pfSense machine, do you think it would be good practice to do so?

muswellhillbilly

Best scenario I can think of is to set your SBS server as your PFS's DNS forwarder. Set the DNS forwarders on the SBS to point to an external public DNS server. That way, all your LAN hosts as well as your firewall can resolve internally and externally.