Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    help dynamic DNS + pfsense + windows server 2012 R2

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anfeango
      last edited by

      Good afternoon I request your collaboration with some errors that occurred to me
      I indicate my situation I have the pfsense firewall, with a Dynamic DNS of (no-ip) the pfsense handles: dhcp, openvpn, NAT and other things; I also have a Windows server 2012 R2 where it manages me: active directory (AD), shared folders, FTP server, and a backup server (cobian backup)
      I have the pfsense for a couple of months, previously I managed an endian with the same services, only this allowed me to loopback with an external static IP, which I used for the external connection of the backup server and access to the FTP.
      I would like your help on the following
      1- The pfsense loopback does not work for me, I have already tried multiple forum posts (NAT reflecting) but they have not worked for me, you have to do something different with a Dynamic DNS.
      2- Identify some problems with the external access to the FTP with Cobián backup, I did NAT of all the ports such as 21, 20, 69, passive ports such as 1023 the range of 49152-65535 and it does not upload files it gives me an error of 505, it connects me from a filezilla but it does not upload files to the FTP from the Cobián backup nor does it connect well from the console or by the ftp test from a browser, I also tried the active and passive transfer configurations and not works.
      3- By changing several things, try to leave the main dns in the PFsense and not the Windows server and it generates too many problems when authenticating credentials; Is it possible to leave this configuration so that the primary dns is the pfsense and that it allows to pass all the services of the active domain to the Windows server? I made this change thinking that possibly this was generating the errors with the Dynamic Dns but still they have not worked for me.
      Please any help any post or blog where you can guide me is of great help, since I have reviewed too many solutions and none have worked for me
      I appreciate all the help in advance and sorry if I have not explained myself well or put together several questions in a single post

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @anfeango
        last edited by

        While you could create a domain override to allow pfsense to resolve your AD.

        I don't really get this logic.. Unless you had a very larger network, where most of the clients were not members of the AD.

        Its simpler solution to just have dhcp and dns handled by your AD, and then have your AD dns forward to pfsense..

        What exactly are you trying to do with ftp.. I take it your using passive connections from external site to your ftp server internal.

        In such a scenario you need to forward the passive ports that your ftp server will use. And you need to make sure your ftp server actually hands out your public IP, and not its locall IP when it gives the client the info for the passive data connection.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        A 1 Reply Last reply Reply Quote 1
        • A
          anfeango @johnpoz
          last edited by

          @johnpoz Thank you very much for the answers, the truth is I don't have a wide network, I just thought that the dns would work better in the pfsense than in the AD, I will try to leave everything in the AD and find out how to do the dns forward to the pfsense.
          With the ftp I only require an external connection to download and upload files and also that the cobian backup upload a backup of files from several users with a DDNS since my provider does not give me static ip and I use no-ip.
          The question is with an endian with static ip, it worked well for me, but with pfsense and domain of the Dynamic DNS, it does not work, I have to change something in the ftp server of the windows server or can it be something of the pfsense?
          Could you tell me a post or should I just investigate the passive ports for ftp?
          really thank you very much for your help.

          T 1 Reply Last reply Reply Quote 0
          • T
            ThatGuy @anfeango
            last edited by ThatGuy

            @anfeango

            Your Issue #3: Although I know I’m gonna get flamed by @johnpoz by saying this BUT your DC does not have to be the DHCP controller to get AD to work flawlessly. However, your DC does have to run DNS to get AD to work. You are just going to have pfSense handle all DNS unless clients need to find DNS from your internal domain.

            You simply need a Domain Override in pfSense so your Domain computers know where to go for AD/GPOs. In pfSense, simply go into your DNS forwarder or resolver, whichever one you are using and put in a Domain Override as such:

            Domain Overrides

            Domain: Your Fully Qualified Windows Domain name (not the NetBIOS name)
            Lookup Server IP Address: IP address of The Windows DNS server…probably your DC
            Description – Windows AD/DC Resolution for clients

            I’ve done this on at least 50 Windows Domains. Works Great. Make the change and watch your clients find AD/GPOs. If your DC ever goes down clients will still be able to get a DHCP lease if needed from pfSense and most importantly, get out the Internet.

            For your issue #1: In pfSense-->System-->Advanced-->Firewall & NAT you should make the following selections at the bottom of the page:

            NAT Reflection mode for port forwards: PureNAT
            Enable NAT Reflection for 1:1 NAT: checked
            Enable automatic outbound NAT for Reflection: checked

            Is this how you have it setup?

            ThatGuy

            johnpozJ A 2 Replies Last reply Reply Quote 1
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @ThatGuy
              last edited by johnpoz

              @thatguy said in help dynamic DNS + pfsense + windows server 2012 R2:

              BUT your DC does not have to be the DHCP controller

              It doesn't I agree - but it is a simpler configuration. So no flames from me for that. Doesn't make a lot of sense to not use it, since you already have AD up and running. And there are things you can do that you can not with pfsense as dhcp. Like scopes for non connected vlans. And sure makes registration of dynamic clients easier, etc.

              Having a hard time with a use case where I would run dhcp on pfsense when I have a perfectly valid very robust dhcp server in my AD already.

              For dns while domain override can work - its more complex setup. If your client pointing to AD for dns needs dns it all of 2 seconds to point a client to pfsense IP.. Say for example your admin looking for help in fixing their AD.. Which is prob going to be a major issue ;) Vs some user browsing amazon ;) heheh

              There should almost always be a 2nd DC in any setup more than a few clients anyway. So your dns should be on both of your DCs and sync - so even if dc 1 goes down, clients still have dns via 2nd dc, or 3rd or 4th even, etc.

              While running dhcp and dns on pfsense can be done - it just not the best setup if your an AD shop.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              T 1 Reply Last reply Reply Quote 1
              • T
                ThatGuy @johnpoz
                last edited by

                @johnpoz said in help dynamic DNS + pfsense + windows server 2012 R2:

                Like scopes for non connected vlans

                Heck dude! pfSense is the ONLY DHCP controller I have ever used where you can't reserve an IP within the DHCP scope. So I'll give ya that one. Please pfSense devs....change this. We all now the repercussions but please change this.

                Most of our DC's are Virtual and run on about 2 GB of memory. They ONLY do AD stuff, nothing else so they are very small. We don't run multiple DCs. We just always have good local and offsite backups.

                Keep in mind, if I had to "fix" a Windows DC that crashed on me versus throw in another pfSense appliance (translation - any computer with dual NICs) and restore a config to get Internet back up....yeah, I'm going with pfSense.

                Plus, it ain't 2001 anymore where loosing local LAN resources would shut down a business entirely. In 2021 Internet better work with all the Cloud computing we do now. I also came from the SBS 2000 days where EVERYTHING ran through that thing. It hiccupped and "Game over man! Game over!" So I like to spread out the critical responsibilities on the devices.

                Hope you're doing well @johnpoz. Always enjoy reading your responses and learning from your posts.

                ThatGuy

                johnpozJ 1 Reply Last reply Reply Quote 1
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @ThatGuy
                  last edited by johnpoz

                  @thatguy said in help dynamic DNS + pfsense + windows server 2012 R2:

                  They ONLY do AD stuff

                  Which would include dhcp and dns if you ask me ;) dhcp and dns are not heavy resource use. Even a small vm would be able to do it..

                  For backup in case of crash of your DC(s) your VM host, etc. firing up dhcp and dns on your pfsense to get internet would take 2 minutes. I still not see the use case of not including these very integrated services into your AD..

                  2012, added dhcp failover as well. Policy based assignment also simple. The dhcp and dns that is part of 2012 very feature rich and robust.. I am not seeing a valid reason not to run these on your DC when your already a AD shop.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  A 1 Reply Last reply Reply Quote 1
                  • A
                    anfeango @ThatGuy
                    last edited by

                    @thatguy said in help dynamic DNS + pfsense + windows server 2012 R2:

                    For your issue #1: In pfSense-->System-->Advanced-->Firewall & NAT you should make the following selections at the bottom of the page:
                    NAT Reflection mode for port forwards: PureNAT
                    Enable NAT Reflection for 1:1 NAT: checked
                    Enable automatic outbound NAT for Reflection: checked

                    Thanks for the answer, I'm going to try the Domain Overrides thing,

                    For point # 1 s it is correct, perform the steps you mention but it still does not work, will it have to do with what I use a Dynamic DNS?

                    1 Reply Last reply Reply Quote 0
                    • A
                      anfeango @johnpoz
                      last edited by

                      @johnpoz Thanks for your explanations, I am going to find out a little more about how to implement dhcp in AD.
                      I also clarify why I am using pfsense as DHCP, currently I have a single server with proxmox, in which I have 3 virtual machines, 1 pfsense , 2 windows 2012 R2, and windows 7 with a software of a scanner that can only be installed there.
                      I use the pfsense as dhcp due I use openvnp to externally connect the computers to the shared folders. and NAT, for services like DVR, remote desktop to AD externally, I have the backup software too. If I handle the DCHP with the AD, won't it generate conflicts with the openVPN and the NATs generated by the PFsense?

                      and really thank you very much for your collaboration

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @anfeango
                        last edited by johnpoz

                        @anfeango said in help dynamic DNS + pfsense + windows server 2012 R2:

                        If I handle the DCHP with the AD, won't it generate conflicts with the openVPN and the NATs generated by the PFsense?

                        Your AD dhcp wouldn't be handing out dhcp to vpn clients.

                        Not sure where you think dhcp in pfsense has anything to do with vpn clients either? The IP a vpn client gets in the tunnel network you setup does not come from the dhcp scopes in pfsense. Are you running a TAP configuration in vpn?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        A 1 Reply Last reply Reply Quote 0
                        • A
                          anfeango @johnpoz
                          last edited by

                          @johnpoz sorry that it took me too long to respond, I have been attending to other problems in the office.
                          correct I have the vpn with openvpn with TAP, with that I have no problem, the question was when the users connect to the vpn it gives them another network segment, I imagine since I have never tried to do some kind of configuration for that segment that I gives the pfsense the AD can be seen or accessed. or nothing additional should be done? only the permission in the firewall of the pfsense that allows access to the IP of the AD?
                          Thanks for your great collaboration

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @anfeango
                            last edited by johnpoz

                            @anfeango said in help dynamic DNS + pfsense + windows server 2012 R2:

                            to the vpn it gives them another network segment

                            And what segment would that be - tap would get its IP from your dhcp. Since tap is a bridged connection. So maybe your not in tap like you think. TAP is not normally what you would want.. And really should only ever be used when you had some specific need that could not overcome when using tun mode. It has many drawbacks and broadcast traffic over a vpn is not going to be good for performance that is for sure!

                            And some devices can not connect via tap - for example the IOS openvpn connect client does not support tap that I am aware of.

                            https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.