Integration with a windows domain? Any instructions?


  • I'm using comcast, getting a routable address using pfsense track interface. I've got 'usable' link-local fe80 addresses. The problems I run into - no domain-level dns support (the network shows unauthenticated on clients).

    Is there some mechanism to get this working? should dhcpv6 on the domain be able to also give me a usable local address in addition to pfsense' link-local address? (it hasn't worked so far).

    Thanks for any hints you can provide!


  • I am running a Server 2016 domain, using Spectrum TW cable dynamic ipv4 and ipv6. The ipv4 isn't an issue due to NAT, but with IPV6 things can become a pain to setup and hopefully not have to revisit often if it's DHCP from the ISP.

    Are you dynamic ipv6 with Comcast? Running IPV4 DNS/DHCP via your Windows servers? Any VLANS?

    My setup is Win servers doing IPV4 DNS/DHCP, with a LAN and 2 VLANs. IPV4 and IPV6 is dynamic from TWC. I quickly realized that setting up IPV6 DHCP via Windows servers wasn't a good idea as it will be a pain to redo if/when my prefix changes (I am pulling a 56 from TWC) so I set DHCP for IPV6 in PFSense. More on that later.

    For PFSense, WAN interface Comcast settings, I did some IPV6 googling. You could probably set the WAN interface to DHCP6, pulling a /60 prefix. Check to send a prefix hint and check to "Do not allow PD/Address release" so the router doesn't release the IP if you have to reboot it. For the LAN interface, set "IPv6 Configuration Type" to TRACK, track interface to WAN, then set the "IPv6 Prefix ID" to something between 0~f (hexadecimal 0-9 then A-f, choosing a number or letter in this range on each LAN/VLAN). You should see IPV6 addresses assigned for each LAN/VLAN interface, on the PFSense dashboard, using your prefix IDs.

    Once you have an IPV6 network assigned to each LAN/VLAN interface, you can setup your networks IPV6 DHCP. I set my Win servers and desktops dynamic ipv6, using PFSense DHCP for IPV6. Then setup DHCPv6 static mappings for my servers in PFSense as "::{interface ID}", which works as my prefix has already changed once and the server addresses updated with the new prefix. When it changes I only have to update the DNS and NTP server IP settings that PFSense gives out to clients in the LAN and VLANs, and in the Router Advertisements. I set Router Advertisement to MANAGED for the server and desktop networks and stateless for the IOT VLAN.

    This has worked well for me, desktops get IPV6 from PFSense, update themselves in Windows DNS server, I have plenty of IPV6 networks for my VLANS, and minimal work when Spectrum changes the prefix.


  • That's a great write up thanks. I've got this implemented and having ipv6 actually working now. If I read this correctly and what I see, if I get an IPV6 update change from comcast I'll have to reconfigure the DNS and other static mappings. If that's the limit of what I need to do, I can live with that. for some reason using ::9999 didn't work, but fully specifiying the aaaa:bbbb:cccc:dddd::9999 does (in static mappings.).

    Oh and the performance over RRAS is incredible - from a peak of about 350mb/sec to at least 600mb/sec - pfsense is running in a hyperv VM.


  • @ksdehoff Odd that yours didn't work for the static mapping, maybe because I enumerated the entire interface ID (::7d86:e96:bb0c:fe85 for example). So I don't have to mess with changing anything in the static mapping. I had another issue unrelated to it (caused by Snort of all things) and I had as part of troubleshooting, unchecked the 'do not allow release...' setting and rebooted, and yep the prefix changed and the servers got new IPs with the same interface ID and the new prefix. So I am happy with that small victory.