Best configuration - pfSense & SBS 2003?



  • Hi all -

    I am looking for guidance in configuring pfSense and a SBS 2003 server.

    My original config was:
    WAN = DHCP from Comcast
    LAN = Static 192.168.20.0
    LAN DHCP = 192.168.20.2 SBS 2003 Server
        IP Addresses excluded 192.168.20.1 through 192.168.20.9
        IP Addresses excluded 192.168.20.100 through 192.168.20.238
    LAN DNS = 192.168.20.2

    My current config is:
    WAN = DHCP from Comcast
    LAN = Static 192.168.20.0
    LAN DHCP = 192.168.20.2 SBS 2003 Server = stopped
    LAN DNS = 192.168.20.2 SBS 2003 Server = stopped
    PCs = Manually pointing to pfSense for DNS

    pfSense DNS Server has OpenDNS & Google IPs in General Setup
    pfSense DNS override unchecked
    pfSense DNS forwarding is enabled

    Which is best, allow pfSense to handle DNS & DHCP or the SBS server?

    What about DNS forwarding?

    I based my original config from: http://forum.pfsense.org/index.php?topic=8204.0
    And my current from: http://forum.pfsense.org/index.php/topic,48059.0.html

    Something in my config is STILL wrong because LAN side users, using Chrome on Win7 64 are having WWW requests getting stuck with the message "Sending request…"  Pages take 30+ seconds to load or timeout with the message ERR_NAME_NOT_RESOLVED, or never timeout.  Many times the page loads fast on second try.  It is random and intermittent.

    I hope NOT to offend any members.  I switched to pfSense because the SBS logs were filling from a "Dictionary Attack".

    I need happy employees and don't want to switch back to a consumer router.

    Thanks for you help - Brad



  • @Verohomie:

    Something in my config is STILL wrong because LAN side users, using Chrome on Win7 64 are having WWW requests getting stuck with the message "Sending request…"  Pages take 30+ seconds to load or timeout with the message ERR_NAME_NOT_RESOLVED, or never timeout.  Many times the page loads fast on second try.  It is random and intermittent.

    Are these users using the old DNS or the new? (Unless they did an ipconfig/renew they will use the old DNS until their DHCP lease expires.)

    Is there a common theme in the unresolved names?

    "never timeout" is a stretch of the truth. How long are users waiting before they decide they have waited "long enough"? When the internet gets busy or significant routers crash packets can be dropped. TCP will attempt to recover by retransmitting. It takes a number of retransmit attempts before TCP decides the link is broken and reports it is broken.

    Edit: When I clicked the Save button to post the first cut of this reply my browser reported Connected to forum.pfsense.org for what seemed (by counting) to be over 40 seconds. This sort of thing happens to me intermittently; sometimes the Saves completely seemingly instantaneously.


  • Netgate Administrator

    @wallabybob:

    Edit: When I clicked the Save button to post the first cut of this reply my browser reported Connected to forum.pfsense.org for what seemed (by counting) to be over 40 seconds. This sort of thing happens to me intermittently; sometimes the Saves completely seemingly instantaneously.

    Some discussion, here.

    Steve



  • wallabybob -

    Are these users using the old DNS or the new? (Unless they did an ipconfig/renew they will use the old DNS until their DHCP lease expires.)

    Don't know, too many changes… rebooted router, sbs, then PCs.  Will test today.

    Is there a common theme in the unresolved names?

    Yes mostly google searches

    "never timeout" is a stretch of the truth. How long are users waiting before they decide they have waited "long enough"? When the internet gets busy or significant routers crash packets can be dropped. TCP will attempt to recover by retransmitting. It takes a number of retransmit attempts before TCP decides the link is broken and reports it is broken.

    Well after 15 minutes of "Sending request..." at the bottom of chrome and the spinning tab, I stopped the request.

    Edit: When I clicked the Save button to post the first cut of this reply my browser reported Connected to forum.pfsense.org for what seemed (by counting) to be over 40 seconds. This sort of thing happens to me intermittently; sometimes the Saves completely seemingly instantaneously.

    I too have been having posting issues to the forum http://forum.pfsense.org/index.php/topic,47874.0.html
    But I think they are separate issues.

    I will report back on my testing today.  Thanks for your posts - Brad



  • Hi All -

    After extensive troubleshooting my DNS issue was being caused by Snort.

    To get things running smoothly I had to remove the Snort interface from the Snort services page and reboot pfSense.

    Stopping the service was not enough.

    Hope this helps others.

    Brad



  • I would think that you need to run dns on the SBS and not pfsense or you won't be able to resolve internal dns names. DHCP can run on either or even both with the proper exclusions.



  • Hi All -

    Since my last post, I restarted snort BUT with the "block offenders" checkbox unchecked.  Having this checked wreaked havoc on my system.  I have been running smoothly for 32 hrs.

    I decided to keep SBS running DNS and DHCP.

    WAN = DHCP from Comcast
    LAN = Static 192.168.20.0
    LAN DHCP = 192.168.20.2 SBS 2003 Server
        IP Addresses excluded 192.168.20.1 through 192.168.20.9
        IP Addresses excluded 192.168.20.100 through 192.168.20.238

    DNS Server (General Setup) = 192.168.20.2 with none selected

    Thanks to all who replied - Brad


Log in to reply