LDAP authentication from remote AD server?
I'm using PFsense 2 as a VM FW appliance to a cloud environment.. the COLO environment holds a forest with a forest trust to the OFFICE forest.(connected with IPSEC vpn tunnel)
The COLO hosts two CLIENTAPPs.
Currently roadwarriors connect to the OFFICE network using PPTP through traditional methods, but it would be optimal to have them connect directly to the COLO site and utilize their applications.
The applications use the forest trust/AD from OFFICE for authentication.
Long story short, PFsense fails to communicate with the OFFICE subnet for purposes of LDAP communication. The COLO machines can ping and communicate over the IPSec vpn tunnel without issues, but when LDAP communication is tested (diagnostic authenication test in pfsense) I get the error:
ldap_bind(): Unable to bind to server: Can't contact LDAP server in /etc/inc/auth.inc on line 1020
The ldap connection/test works fine with the COLO domain…
So, I tested TRACEROUTE via the PFsense shell, and it turns out the packets for the OFFICE subnet get routed out over the internet and die..
How do I set a route that the PFsense unit will obey? clearly the route exists or was created when the tunnel was established or the LAN clients wouldn't be able to communicate with the other side of the tunnel (and vise versa).. It makes me want to create a new static route but it asks for a gateway - is this gateway the other end of the tunnel GW of the OFFICE subnet? I just tested pinging the remote GW with the same effect ->internet.
Ah, figured it out. I created a static route to the OFFICE network that uses a gateway pointing at the PFsense LAN interface IP and voila