Help with domain network behind pfsense

KOM

You could add the printer as an AD resource so it can be pushed to your domain clients, and then just add firewall rules to allow LAN2 to talk to the DC and printer on LAN1. You said you can already get LAN2 clients to talk to LAN1, so I'm not sure what the problem here is.

Hugovsky

Thanks for repling KOM. What I'm tring to understand is if I'm making it right. Your idea of an AD resource is what I'll try. I'm asking because, sometimes under heavy load, I have printer timeouts. It's an intermitent problem. I want to be shure it's not a bad config with pfsense or network designe.

johnpoz

Could you draw up this network please. So you have 2 networks connected together with a wireless bridge?

These networks are connected thru a wireless bridge

This wireless bridge is connected to your 2 routers and is just a transit network? Or is it connected into the 2 lans at each location? if so your going to have an asymmetrical routing problem..

This would be the correct way to set this up.

Hugovsky

@johnpoz,

The wireless bridge is where the traffic is flowing to and from LAN2.

The lans should be independente except for using the same domain. I don't want LAN1 to connect to LAN2 but I want LAN2 to connect to LAN1 resources. Domain and printer. To LAN1, LAN2 is just one IP because it's NATed thru pfsense.

See my draw, please. Printer is on LAN2 but is connected to server at LAN1. LAN2 prints to print server and printserver uses VPN to connect to LAN2 and send print jobs. I know it's a stupid design but there's nothing I can do about it. Just try to use it as good as I can.

johnpoz

Yeah that is borked! You have your PDC and Print server talking to lan 1 router IP as their gateway.. Yeah borked asymmetrical mess..

ahhh.
Your natting from lan2 to lan1.. Ok so asymetrical wouldn't be an issue.. So you would have to port forward for that printer server to talk to your printer, etc.

Not how I would do it at all...

Hugovsky

Do you have a suggestion? Imagine that lan1 can't be changed.

johnpoz

Not changed how? You want a transit between your networks is all.. Not you don't have to nat or port forward just firewall for what gets accessed or not..

My drawing is how you would connect two networks via a transit.

Hugovsky

What I'm asking is if there's a way I can do things better without reconfiguring LAN1. Only changing LAN2 if needed. Thanks for your time.

johnpoz

You asked if you are doing it correctly.

What's the best aproach?
I'm using a VPN to let it conect to the second LAN. Does this makes sense?
What I'm tring to understand is if I'm making it right.

I have showed you how you would correctly connect two different networks together via wireless bridge..

No your method is not the best approach.
No makes zero sense to vpn to allow your 2 segments to talk to each other.
No your not making it right..

You have been given the correct way to connect to network together via a wireless bridge. Will allow for full firewall control between the segments, and allow for either side to use whatever resources on either side you want to allow for with min effort once the transit is configured.

Hugovsky

Thank you johnpoz. I understand what you're saying.