help dynamic DNS + pfsense + windows server 2012 R2

anfeango

Good afternoon I request your collaboration with some errors that occurred to me
I indicate my situation I have the pfsense firewall, with a Dynamic DNS of (no-ip) the pfsense handles: dhcp, openvpn, NAT and other things; I also have a Windows server 2012 R2 where it manages me: active directory (AD), shared folders, FTP server, and a backup server (cobian backup)
I have the pfsense for a couple of months, previously I managed an endian with the same services, only this allowed me to loopback with an external static IP, which I used for the external connection of the backup server and access to the FTP.
I would like your help on the following
1- The pfsense loopback does not work for me, I have already tried multiple forum posts (NAT reflecting) but they have not worked for me, you have to do something different with a Dynamic DNS.
2- Identify some problems with the external access to the FTP with Cobián backup, I did NAT of all the ports such as 21, 20, 69, passive ports such as 1023 the range of 49152-65535 and it does not upload files it gives me an error of 505, it connects me from a filezilla but it does not upload files to the FTP from the Cobián backup nor does it connect well from the console or by the ftp test from a browser, I also tried the active and passive transfer configurations and not works.
3- By changing several things, try to leave the main dns in the PFsense and not the Windows server and it generates too many problems when authenticating credentials; Is it possible to leave this configuration so that the primary dns is the pfsense and that it allows to pass all the services of the active domain to the Windows server? I made this change thinking that possibly this was generating the errors with the Dynamic Dns but still they have not worked for me.
Please any help any post or blog where you can guide me is of great help, since I have reviewed too many solutions and none have worked for me
I appreciate all the help in advance and sorry if I have not explained myself well or put together several questions in a single post

johnpoz

While you could create a domain override to allow pfsense to resolve your AD.

I don't really get this logic.. Unless you had a very larger network, where most of the clients were not members of the AD.

Its simpler solution to just have dhcp and dns handled by your AD, and then have your AD dns forward to pfsense..

What exactly are you trying to do with ftp.. I take it your using passive connections from external site to your ftp server internal.

In such a scenario you need to forward the passive ports that your ftp server will use. And you need to make sure your ftp server actually hands out your public IP, and not its locall IP when it gives the client the info for the passive data connection.

anfeango

@johnpoz Thank you very much for the answers, the truth is I don't have a wide network, I just thought that the dns would work better in the pfsense than in the AD, I will try to leave everything in the AD and find out how to do the dns forward to the pfsense.
With the ftp I only require an external connection to download and upload files and also that the cobian backup upload a backup of files from several users with a DDNS since my provider does not give me static ip and I use no-ip.
The question is with an endian with static ip, it worked well for me, but with pfsense and domain of the Dynamic DNS, it does not work, I have to change something in the ftp server of the windows server or can it be something of the pfsense?
Could you tell me a post or should I just investigate the passive ports for ftp?
really thank you very much for your help.

ThatGuy

@anfeango

Your Issue #3: Although I know I’m gonna get flamed by @johnpoz by saying this BUT your DC does not have to be the DHCP controller to get AD to work flawlessly. However, your DC does have to run DNS to get AD to work. You are just going to have pfSense handle all DNS unless clients need to find DNS from your internal domain.

You simply need a Domain Override in pfSense so your Domain computers know where to go for AD/GPOs. In pfSense, simply go into your DNS forwarder or resolver, whichever one you are using and put in a Domain Override as such:

Domain Overrides

Domain: Your Fully Qualified Windows Domain name (not the NetBIOS name)
Lookup Server IP Address: IP address of The Windows DNS server…probably your DC
Description – Windows AD/DC Resolution for clients

I’ve done this on at least 50 Windows Domains. Works Great. Make the change and watch your clients find AD/GPOs. If your DC ever goes down clients will still be able to get a DHCP lease if needed from pfSense and most importantly, get out the Internet.

For your issue #1: In pfSense-->System-->Advanced-->Firewall & NAT you should make the following selections at the bottom of the page:

NAT Reflection mode for port forwards: PureNAT
Enable NAT Reflection for 1:1 NAT: checked
Enable automatic outbound NAT for Reflection: checked

Is this how you have it setup?

johnpoz

@thatguy said in help dynamic DNS + pfsense + windows server 2012 R2:

BUT your DC does not have to be the DHCP controller

It doesn't I agree - but it is a simpler configuration. So no flames from me for that. Doesn't make a lot of sense to not use it, since you already have AD up and running. And there are things you can do that you can not with pfsense as dhcp. Like scopes for non connected vlans. And sure makes registration of dynamic clients easier, etc.

Having a hard time with a use case where I would run dhcp on pfsense when I have a perfectly valid very robust dhcp server in my AD already.

For dns while domain override can work - its more complex setup. If your client pointing to AD for dns needs dns it all of 2 seconds to point a client to pfsense IP.. Say for example your admin looking for help in fixing their AD.. Which is prob going to be a major issue ;) Vs some user browsing amazon ;) heheh

There should almost always be a 2nd DC in any setup more than a few clients anyway. So your dns should be on both of your DCs and sync - so even if dc 1 goes down, clients still have dns via 2nd dc, or 3rd or 4th even, etc.

While running dhcp and dns on pfsense can be done - it just not the best setup if your an AD shop.

ThatGuy

@johnpoz said in help dynamic DNS + pfsense + windows server 2012 R2:

Like scopes for non connected vlans

Heck dude! pfSense is the ONLY DHCP controller I have ever used where you can't reserve an IP within the DHCP scope. So I'll give ya that one. Please pfSense devs....change this. We all now the repercussions but please change this.

Most of our DC's are Virtual and run on about 2 GB of memory. They ONLY do AD stuff, nothing else so they are very small. We don't run multiple DCs. We just always have good local and offsite backups.

Keep in mind, if I had to "fix" a Windows DC that crashed on me versus throw in another pfSense appliance (translation - any computer with dual NICs) and restore a config to get Internet back up....yeah, I'm going with pfSense.

Plus, it ain't 2001 anymore where loosing local LAN resources would shut down a business entirely. In 2021 Internet better work with all the Cloud computing we do now. I also came from the SBS 2000 days where EVERYTHING ran through that thing. It hiccupped and "Game over man! Game over!" So I like to spread out the critical responsibilities on the devices.

Hope you're doing well @johnpoz. Always enjoy reading your responses and learning from your posts.

johnpoz

@thatguy said in help dynamic DNS + pfsense + windows server 2012 R2:

They ONLY do AD stuff

Which would include dhcp and dns if you ask me ;) dhcp and dns are not heavy resource use. Even a small vm would be able to do it..

For backup in case of crash of your DC(s) your VM host, etc. firing up dhcp and dns on your pfsense to get internet would take 2 minutes. I still not see the use case of not including these very integrated services into your AD..

2012, added dhcp failover as well. Policy based assignment also simple. The dhcp and dns that is part of 2012 very feature rich and robust.. I am not seeing a valid reason not to run these on your DC when your already a AD shop.

anfeango

@thatguy said in help dynamic DNS + pfsense + windows server 2012 R2:

For your issue #1: In pfSense-->System-->Advanced-->Firewall & NAT you should make the following selections at the bottom of the page:
NAT Reflection mode for port forwards: PureNAT
Enable NAT Reflection for 1:1 NAT: checked
Enable automatic outbound NAT for Reflection: checked

Thanks for the answer, I'm going to try the Domain Overrides thing,

For point # 1 s it is correct, perform the steps you mention but it still does not work, will it have to do with what I use a Dynamic DNS?

anfeango

@johnpoz Thanks for your explanations, I am going to find out a little more about how to implement dhcp in AD.
I also clarify why I am using pfsense as DHCP, currently I have a single server with proxmox, in which I have 3 virtual machines, 1 pfsense , 2 windows 2012 R2, and windows 7 with a software of a scanner that can only be installed there.
I use the pfsense as dhcp due I use openvnp to externally connect the computers to the shared folders. and NAT, for services like DVR, remote desktop to AD externally, I have the backup software too. If I handle the DCHP with the AD, won't it generate conflicts with the openVPN and the NATs generated by the PFsense?

and really thank you very much for your collaboration

johnpoz

@anfeango said in help dynamic DNS + pfsense + windows server 2012 R2:

If I handle the DCHP with the AD, won't it generate conflicts with the openVPN and the NATs generated by the PFsense?

Your AD dhcp wouldn't be handing out dhcp to vpn clients.

Not sure where you think dhcp in pfsense has anything to do with vpn clients either? The IP a vpn client gets in the tunnel network you setup does not come from the dhcp scopes in pfsense. Are you running a TAP configuration in vpn?

anfeango

@johnpoz sorry that it took me too long to respond, I have been attending to other problems in the office.
correct I have the vpn with openvpn with TAP, with that I have no problem, the question was when the users connect to the vpn it gives them another network segment, I imagine since I have never tried to do some kind of configuration for that segment that I gives the pfsense the AD can be seen or accessed. or nothing additional should be done? only the permission in the firewall of the pfsense that allows access to the IP of the AD?
Thanks for your great collaboration

johnpoz

@anfeango said in help dynamic DNS + pfsense + windows server 2012 R2:

to the vpn it gives them another network segment

And what segment would that be - tap would get its IP from your dhcp. Since tap is a bridged connection. So maybe your not in tap like you think. TAP is not normally what you would want.. And really should only ever be used when you had some specific need that could not overcome when using tun mode. It has many drawbacks and broadcast traffic over a vpn is not going to be good for performance that is for sure!

And some devices can not connect via tap - for example the IOS openvpn connect client does not support tap that I am aware of.

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html