Help with domain network behind pfsense
-
I need help with my setup. I'll try to explain it best way I can.
I have one LAN network using 1 windows PDC and this network is using gateway 1 to internet. I have another LAN behind pfsense and another internet gateway. These networks are connected thru a wireless bridge and I use pfsense to, on the second LAN, separate domain traffic from internet trafic.
To this point, they're just two separate LANs. What I need is a way so that the second LAN can use the windows PDC and it's domain.
What's the best aproach? the computers on the second LAN have no problems using the domain with a simple rule to the domain gateway. But, I have a printer in the first LAN side. I'm using a VPN to let it conect to the second LAN. Does this makes sense?
-
You could add the printer as an AD resource so it can be pushed to your domain clients, and then just add firewall rules to allow LAN2 to talk to the DC and printer on LAN1. You said you can already get LAN2 clients to talk to LAN1, so I'm not sure what the problem here is.
-
Thanks for repling KOM. What I'm tring to understand is if I'm making it right. Your idea of an AD resource is what I'll try. I'm asking because, sometimes under heavy load, I have printer timeouts. It's an intermitent problem. I want to be shure it's not a bad config with pfsense or network designe.
-
Could you draw up this network please. So you have 2 networks connected together with a wireless bridge?
These networks are connected thru a wireless bridge
This wireless bridge is connected to your 2 routers and is just a transit network? Or is it connected into the 2 lans at each location? if so your going to have an asymmetrical routing problem..
This would be the correct way to set this up.
-
The wireless bridge is where the traffic is flowing to and from LAN2.
The lans should be independente except for using the same domain. I don't want LAN1 to connect to LAN2 but I want LAN2 to connect to LAN1 resources. Domain and printer. To LAN1, LAN2 is just one IP because it's NATed thru pfsense.
See my draw, please. Printer is on LAN2 but is connected to server at LAN1. LAN2 prints to print server and printserver uses VPN to connect to LAN2 and send print jobs. I know it's a stupid design but there's nothing I can do about it. Just try to use it as good as I can. -
Yeah that is borked! You have your PDC and Print server talking to lan 1 router IP as their gateway.. Yeah borked asymmetrical mess..
ahhh.
Your natting from lan2 to lan1.. Ok so asymetrical wouldn't be an issue.. So you would have to port forward for that printer server to talk to your printer, etc.Not how I would do it at all...
-
Do you have a suggestion? Imagine that lan1 can't be changed.
-
Not changed how? You want a transit between your networks is all.. Not you don't have to nat or port forward just firewall for what gets accessed or not..
My drawing is how you would connect two networks via a transit.
-
What I'm asking is if there's a way I can do things better without reconfiguring LAN1. Only changing LAN2 if needed. Thanks for your time.
-
You asked if you are doing it correctly.
What's the best aproach?
I'm using a VPN to let it conect to the second LAN. Does this makes sense?
What I'm tring to understand is if I'm making it right.I have showed you how you would correctly connect two different networks together via wireless bridge..
No your method is not the best approach.
No makes zero sense to vpn to allow your 2 segments to talk to each other.
No your not making it right..You have been given the correct way to connect to network together via a wireless bridge. Will allow for full firewall control between the segments, and allow for either side to use whatever resources on either side you want to allow for with min effort once the transit is configured.
-
Thank you johnpoz. I understand what you're saying.
