Integrating Pfsense into windows domain and cisco Umbrella Virtual Appliances



  • Hello All.

    I am replacing an aging Netgear prosafe firewall/ router with a Pfsense router/ firewall I built myself. The Netgear had LAN to all  so there are no port restrictions.  The Netgear was not capable of vlan configurations.  The pfsense will support around 60 computers including servers and workstations. The pfsense will  be wan facing with 2 static IPs, one as the main internet and the other for failover.  The pfsene will host 1 LAN, 3 VLANS,  guest, camera/phone, and management.  We are a domain environment using Windows DNS, AD, and DHCP.  The windows domain is for the LAN computers. The DHCP server point computer's DNS to the OpenDNS VAs.  I will also use captive portal to restrict access to the guest VLAN.  We incorporate Cisco Umbrella, using 2 virtual appliances as DNS resolvers. I would like pfsense to host the VLANS and give DHCP out to the guest VLAN while pointing the DNS through the Umbrella OpenDNS VAs.

    I understand I should copy the settings of the old router to make the integration less traumatic.  Can I please have any suggestions or tips on how the router should be setup in a Windows AD environment and also how to the DNS on PFsense should configured. A walk through would be cool on integrating pfsense into a Windows domain enviroment.

    Thank You



  • For starters, if you want your windows computer to behave correctly in an AD environment, you MUST set them to use the domain controller's DNS server.
    AD "should" be configured as a full resolver to get maximum benefit, but if you really want to fall back on OpenDNS, you can configure the DNS forwarder in the windows DNS server and point it at OpenDNS's server. 
    As far as pfSense is concerned, you can either have pfSense use OpenDNS or AD, it doesn't really matter, maybe more of a chicken and egg problem when systems recover from a power failure.

    For hosting the VLANs, yes, pfSense can do that no problem.
    Much of the basic config is covered here: https://doc.pfsense.org/index.php/Installing_pfSense



  • Thank you for the reply.

    Th OpenDNS Umbrella uses 2 virtual appliances (VA)s running on vsphere 6.  The VAs would be something like squid.  But very expensive.  Umbrella filters all DNS traffic through Antivirus and web content control It is also integrated with Active Directory so I can track down offenders users and machines.

    https://docs.umbrella.com/product/umbrella/1-introduction/

    I believe I have to have the pfsense dns to OpenDNS DNS IP while I configure PFsense to hand out DHCP addresses that give out the VAs DNS addresses for DNS.  Then create a firewall rule that will block the DNS port 53 out of the WAN for the guest newtwork so the dns will not resolve if the dns is manually entered.



  • @edhuddl:

    …block the DNS port 80 out of the WAN...

    Huh, DNS is port 53, TCP and UDP.



  • I am unfamiliar with the Umbrella solution, but according to their docs, it does appear that the windows clients need to use the DNS servers they offer, and in turn they will forward requests to AD when needed.  So in this situation, pfSense should also point to the umbrella DNS services, so that all devices have a "unified" view.
    You might not want your guests to "see" AD resources in the DNS, so this could add a wrinkle to your plan, at worst, you could assign them OpenDNS servers directly via the DHCP configuration for the guest subnet.



  • I have a feeling I many not be able to use the VAs since I want to separate the guest from the domain.  I just found this post.
    https://forum.pfsense.org/index.php?topic=112288.0
    It is a good write up. 
    Thanks for the reply.