Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash)

bearhntr · Jan 4, 2023, 7:28 PM

Re: Using pfSense as firewall and Windows Server as DHCP and DNS server

Read through this about 4 times now (and while my head is still spinning) wanted to ask:

I want to do something similar but I purchased a domain name, and I use it currently only for CloudFlare access to my HomeAssistant instance. Works quite nicely.

How would I do the same as the article above, but use "MY" domain name in the AD scenario and have pfSense and CloudFlare continue to work? I also have pfSense doing IPv6 (tracking the WAN) as my provider provides me with a /60 IPv6 address.

If you need to see anything, let me know. Just stood up the Server 2019 Standard where I will turn on AD once I figure out how best to do this.

bmeeks · Jan 5, 2023, 1:00 AM

You can't use the same domain name easily both inside your LAN and outside because the IP addresses are usually different for the same name. For example, inside your LAN Active Directory is going to assume your domain name resolves to your Domain Controller (or Controllers). And that is likely to be a private RFC1918 non-routable IP address. But out on the Internet, your CloudFare and HomeAssistant setups need your domain to resolve to a public routable IP. Ergo the problem ... .

The only exception to the above would be the case of a large business network that had its own public routable IP space (for example, your company owned one or more ASN subnets). But even in that scenario larger corporations will still use hide-behind NAT for routing their internal clients out to the Internet.

The most common solution to your problem is to have a subdomain of your main domain be used for Active Directory. For example, if your public domain was "mydomain.com", then your local AD domain might be "internal.mydomain.com". The domain "internal.mydomain.com" would resolve to your non-routable RFC1918 IP (typically meaning your AD Domain Controller) while "mydomain.com" would resolve to your public routable IP.

There are many posts about these types of setups to be found with a Google search. Here is the first hit, and it is direct from the mouth of Microsoft: https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx. This is the search term I used: active directory internal and external domain

bearhntr · Jan 6, 2023, 1:31 AM

@bmeeks

OK makes sense...so here is where I am confused.

My HomeAssistant is accessible via CloudFlare both in my home and outside with the same URL (ex. https://ha.MyDomain.com) Both inside and outside take me to the same place. Would I have to change anything for "internal" (saying I chose sub-domain of AD or INT)?
Would I (or should I) setup pfSense with an AD login (LDAP)?
Which would be best as for setting up DHCP and DNS? Currently pfSense is doing all of that for IPv4 and IPv6. (cause me the least amount of headaches)

SteveITS · Jan 6, 2023, 2:01 AM

@bearhntr last question first, if pfSense is the DNS server it should forward queries for the network domain to Windows DNS. We generally just have Windows provide DNS and DHCP.

If ha.mydomain.com is not your Windows network domain then it’s irrelevant.

There’s no need to connect pfSense with AD. Perhaps RADIUS authentication for VPN?

bmeeks · Jan 6, 2023, 2:13 AM

@bearhntr said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

@bmeeks

OK makes sense...so here is where I am confused.

My HomeAssistant is accessible via CloudFlare both in my home and outside with the same URL (ex. https://ha.MyDomain.com) Both inside and outside take me to the same place. Would I have to change anything for "internal" (saying I chose sub-domain of AD or INT)?

Would I (or should I) setup pfSense with an AD login (LDAP)?

Which would be best as for setting up DHCP and DNS? Currently pfSense is doing all of that for IPv4 and IPv6. (cause me the least amount of headaches)

Why specifically do you want to achieve by using Active Directory and the Windows Server DHCP and DNS services? What are you expecting there that pfSense does not already provide for your network?

Setting this up is not hard, but it does require a rather full understanding of how DNS works, the difference between DNS resolving and forwarding, what authoritative DNS really means, etc. It also requires a good foundation in Microsoft's Active Directory configuration and management.

For a home network, I see absolutely no advantage of configuring AD LDAP for pfSense login. RADIUS perhaps for remote VPN access authentication, but even that is not really necessary for a home network in my opinion. It is very easy to make your network so complicated that it becomes unstable or unusable.

bearhntr · Jan 14, 2023, 7:25 PM

@bmeeks

Apologies for the late response - I did not see that your response was out here.

I am looking to have a central user base - logins for various systems. I am not specifically 'locked' into Windows AD - as I happen to know it, that is why I was looking down that path. I am familiar with setting up the AD environment (in most cases) -- but more in an office lab environment where there is already an established DNS and Internet Gateway.

I know there are other LDAP methods, what specifically I am looking for is to be able to setup things like HomeAssistant, pfSense, NAS, and a few other systems with a single "domain" login and password - rather than individual logins on each of them. If that makes sense.

As I work from home, and need the setup of a 'lab' domain to test various softwares and configurations - on VM servers - this is why I am looking to possibly setup an AD environment.

bmeeks · Jan 14, 2023, 11:29 PM

@bearhntr said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

@bmeeks

Apologies for the late response - I did not see that your response was out here.

I am looking to have a central user base - logins for various systems. I am not specifically 'locked' into Windows AD - as I happen to know it, that is why I was looking down that path. I am familiar with setting up the AD environment (in most cases) -- but more in an office lab environment where there is already an established DNS and Internet Gateway.

I know there are other LDAP methods, what specifically I am looking for is to be able to setup things like HomeAssistant, pfSense, NAS, and a few other systems with a single "domain" login and password - rather than individual logins on each of them. If that makes sense.

As I work from home, and need the setup of a 'lab' domain to test various softwares and configurations - on VM servers - this is why I am looking to possibly setup an AD environment.

Sounds like what you really want is Single Sign-On (SSO). Windows AD can certainly provide that feature, but only if all of your devices/services are compatible with Active Directory. Not everything will work with Active Directory credentialling (at least not in native AD). More stuff is likely to work with Radius or maybe LDAP that in turn uses a Windows AD backend.

I did a quick Google search for HomeAssisant and Active Directory or LDAP integration. Some things I found suggest it is possible- with some work- to get LDAP to work. But I did not find a ready-made tutorial. That tells me maybe it does not actually work well yet. The LDAP functionality of Active Directory is not necessarily "standard" as is the case with most things Microsoft implements to sort of mimic a published standard. Things like that frequently almost work correctly, but just not 100% correctly .

Kind of the same thing with a NAS. How well it works with AD authentication is going to be determined by the level of support the underlying operating system of the NAS has for Samba/Active Directory. Some Linux-type systems are better at this than others.

Cool_Corona · Mar 19, 2023, 2:12 PM

We run this scenario at a client using Windows server as DHCP and DNS using pfsense only as a Firewall :)

Works no issues.

bearhntr · Mar 19, 2023, 2:12 PM

@cool_corona

Thanks - I think what I really want is to have DHCP and DNS on pfSense, and maybe Windows Server 2019 Domain Controller as a backup to DNS. Since the majority of my home machines and lab machines will be Windows 7, 10, 11 and other servers - I truly feel this is the way I should go.

I am really hoping that I can get it all setup and working, as I would like to have single sign-on methods using AD (LDAP). Shame I could not do the same thing for all of these streaming services, banking and other web-based logins.

Cool_Corona · Mar 19, 2023, 2:14 PM

@bearhntr Windows DNS is much better.

Use only pfsense as GW and FW if you have the choice.

johnpoz · Mar 19, 2023, 2:24 PM

@bearhntr said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

lab machines will be Windows 7, 10, 11 and other servers - I truly feel this is the way I should go.

Which are windows.. Why would you not just use windows as your dns and dhcp? Especially if your going to run an AD, be it these machines are actual members of the AD or not, if your going to resolve and use AD in your setup.

Pfsense dhcp and dns is great when you don't have anything else to use.. But if your MS shop, and have windows servers running already then why would you not just leverage it for dhcp and dns - this makes it much easier to all your AD stuff resolving correctly, etc.

SteveITS · Mar 19, 2023, 2:26 PM

@bearhntr

Windows Server 2019 Domain Controller as a backup to DNS

As noted above set a domain override to forward AD queries to Windows or you’ll have problems. (Login failures, slow login, group policy not found, etc.)

mcury · Mar 19, 2023, 2:31 PM

@johnpoz Although it works great using AD DNS/DHCP, you will face some problems with pfblockerNG DNSBL and/or pihole.
You won't be able to know what IP is being blocked because all of them will reach pfsense using AD IP.

In this situation, I enable DHCP relay in pfsense and use DHCP from AD, in which will register A and reverse entries.
For users, I use DNS from pfsense, but there I create domain override and networks reverse entries.

It's working fine for a few customers..

Edit: Using AD DNS will also create a problem with DNSBL bypass.

johnpoz · Mar 19, 2023, 2:35 PM

@mcury said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

you will face some problems with pfblockerNG DNSBL and/or pihole.

Nope, not an issue.. your clients point to your AD for dns, then your AD forwards to unbound, or shoot even forwards to your pihole, and then pihole forwards to unbound so you can use both pihole and pfblocker, etc.

with DNSBL bypass.

For clients you don't want to be filtered by unbound. Create a conditional forwarder in your AD dns that sends them somewhere else for dns that is not filtered by unbound. Say bind running on your pfsense that running on a different port even.

mcury · Mar 19, 2023, 2:34 PM

@johnpoz When you check the Reports tab in pfblockerNG, all you can see is the AD IP as source of the connections.

johnpoz · Mar 19, 2023, 2:36 PM

@mcury see my edit... Yes all stuff going to unbound from your AD would be from the AD IP, but you can create a conditional forwarder that sends clients asking AD that you don't want to be filtered to go somewhere else for upstream dns, etc .

mcury · Mar 19, 2023, 2:36 PM

@johnpoz said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

For clients you don't want to be filtered by unbound. Create a conditional forwarder in your AD dns that sends them somewhere else for dns that is not filtered by unbound. Say bind running on your pfsense that running on a different port even.

Hmmm, that is another option too..

johnpoz · Mar 19, 2023, 2:42 PM

@mcury said in Using pfSense as firewall and Windows Server as DHCP and DNS server (re-hash):

Hmmm, that is another option too..

There are always multiple ways to skin a cat.. But if your running AD, it makes sense to use that is as your first DNS, and also have it hand out dhcp.. And then skin the cat using that for whatever other thing you want to do with the skin.. Make a coat, or a purse, etc.

You could have your AD resolve even, and for stuff you want filtered use a conditional forwarder for those clients that forward to unbound/pihole, etc.

If everything is using your AD for dhcp and dns, this would be first stop to resolve all local resources - what happens after that you can configure in the AD dns - be it forwards to something that filters, be it forwarded to something that doesn't or even just resolve.

But when you run AD, clients of the AD should use it for dns and dhcp - this makes AD run easier and smoother.

mcury · Mar 19, 2023, 2:43 PM

@johnpoz I see your point.
I have been doing what I described above for a few years and no problems so far.

But next time, I'll check that bind option indeed.. Point users to AD and check how it goes.

johnpoz · Mar 19, 2023, 2:45 PM

@mcury Sure if you know what your doing and how to setup domain forwards in unbound, etc, you can can have all your AD resolve, etc. But if your a MS shop, and your running AD.. It is cleaner to have your dns and dhcp via the AD.. What happens with filtering for dns records can either happen there in your AD dns.. or you can forward for your external filtered records to something that filters - be that pihole or unbound, etc.

Like said there are many ways to skin a cat ;)