pfSense with Server 2019 AD DS and Netgear ORBI (as AP)

bearhntr

I also still do not know why I am getting these -- I have nothing setup for v6 - the NIC is set to DHCP and it seems to be getting an fexx:xxxx address.

I get no other warning or errors in this tool - for anything - just these.

Curtis

Tzvia

@bearhntr Well, it looks from your screenshots like you are trying to enable both the DNS Resolver and the DNS Forwarder sections of PFSense? It's one or the other. Unless you have a need to use a particular external DNS server, like using one with porn blocks or something, the DNS resolver works fine without having to specify anything, resolving to root servers if you choose to forward from your Windows server to it.
No reason to forward to the wireless AP if that is the box at .254 - it shouldn't be doing DNS or DHCP if your Windows Server is handling it so I don't know why it's there. And if you don't have IPV6 setup the server may not be able to resolve IPV6 only root servers, causing that last screenshot (just guessing here)? So first decide if you want to just let your Windows server resolve to the internet or forward to the PFSense box and have it resolve. That's what I am currently doing but I've done it both ways and it seems to make no difference. Once IPV4 is good to go, you can tackle IPV6.
And yes with Windows server, it is best to only pass out your Windows server IP as the DNS server in DHCP scope settings, for Windows clients.

bearhntr

@tzvia

I tried to be as clear as possible. I am sorry if there is some confusion.

192.168.10.1 - ORBI Router (in AP mode only) Does not do anything with DNS or DHCP
192.168.10.2 - ORBI Satellite (in the other end of the house so that my office can have network)
192.168.10.250 - Windows DC1 (Server 2019 Std) to handle DNS / DHCP / AD DS / LDAP
192.168.10.254 - pfSense LAN port

I am guessing that I was thinking DNS Resolver on the pfSense would resolve DNS (like the DC1 box is supposed to (wanting it to) do).

Yes....IPv6 is not configured any more - but just find it odd that the Windows BPA keeps telling me that IPv6 root hints need to resolve. Nothing is setup in IPv6 any longer, but I cannot disable that protocol in the DC - Windows will yell about it. The NIC in the DC does get an IP (see below):

So I still cannot get the pfSense to resolve to a name in the DNS Forwarders setting tab. I always get this:

AS stated - it appears that everything works....but I hate 'unresolved' things. Because I want to get IPv6 going and then start working on VPN stuff for streaming and monitoring as well as other Firewall stuff.

*** Have you ever setup or used an iPerf3 server??? I see that pfSense can be setup to do that. I use the Speed Test WiFi Analyzer - analiti quite often on my FireSticks. I will eventually get CAT6 run throughout the house, but for now...everything except the pfSense, DC1 and ORBI are all wireless.

Thanks again for sticking with me.

Curtis

bearhntr

UPDATE:

OK. I have performed the following:

Disabled DNS Forwarder in pfSense:

Enabled DNS Resolver in pfSense - not sure if all of this is correct - but, I seem to still have Internet:

I am able to ping the pfSense now - but still not resolve a name:

Strange that when I was playing with IPv6 - the IPv6 would resolve the name (this is an old image):

We're getting closer -- I can feel it.

Curtis

bearhntr

After making the changes to the pfSense Resolver vs. Forwarder -- I performed an ipconfig /flushdns and ipconfig /registerdns from ADMIN CMD prompt on the DC.

Waited 10 minutes - which should not have needed - but I am getting this now:

WAAAAAH!!!!

Also - does this look correct? Does the Router Advertiser need to be running?

Curtis

Tzvia

@bearhntr Resolving a name from an IP requires an entry in DNS. So if you want it to resolve to a name just create a static entry for it I Windows DNS. It's green because it responds and frankly doesn't need to resolve to a name. Remember, the names are for US, the IPs are for routing and MAC addresses are for delivery. Ok the 254 IP is PFSense now and you're forwarding to it and it is forwarding to some DNS you set on the general tab. My suggestion, if you don't need to use a specific public DNS, just habit you use DNS from X whoever, just leave it in resolver mode. You don't need to send your internet market usage to those data miners. PFSense will use root servers and resolve without their prying eyes.

bearhntr

@tzvia

OK. Specifically "where" do I need to add this name/IP in the Windows DNS? This I think is where part of my confusion lies.

Now you have confused me with the comment: "Ok the 254 IP is PFSense now and you're forwarding to it and it is forwarding to some DNS you set on the general tab. My suggestion, if you don't need to use a specific public DNS, just habit you use DNS from X whoever, just leave it in resolver mode. You don't need to send your internet market usage to those data miners. PFSense will use root servers and resolve without their prying eyes."

Here is what I have in GENERAL SETUP (this is the DC address):

Curtis

bearhntr

UPDATE:

OK -- By Golly -- I think I have fixed it.

Much thanks to everyone. Now to make the Document for all of this.

Curtis

Tzvia

@bearhntr Yes, sorry I missed that you weren't sure where to add the static entry in DNS. And as long as the DHCP scope options are giving out your DNS server IP as the DNS server- you don't have to add it on the general tab in PFSense, or set forwarding on the DNS tab. I have nothing set on the General tab for DNS, and it works fine. In DNS Resolver, General Settings, if you scroll all the way down to the bottom, there is a Domain Override section, where you can add your domain name and point it to your server's IP.

As for RADVD, that's the Router Advertisement service. I know it is used when you setup IPV6, on the Services/DHCPv6 Server & RA/LAN/Router Advertisements.