How to setup Windows DNS server behind pfsense router?



  • Has anyone managed to setup a Windows DNS server behind a pfsense router?

    Am having an issue where my Windows server is able to ping internet addresses (i.e. google.com, microsoft.com) and obtain an IP address however the ping request itself times out.  In addition, the Windows DNS server itself is unable to browse the web or access the internet.  Addresses are resolving to their numeric values which is a good sign.  This occurs when pfsense's DHCP server is disabled.

    My pfsense box has a static LAN IP of 192.168.0.1.  It's behind a cable modem obtaining a WAN IP via DHCP.

    If I enable pfsense's DHCP server and set my Windows server to obtain it's LAN IP via DHCP from the pfsense box, it can browse the internet without issue.

    I even have a NAT outbound rule allowing any LAN access to any WAN so there are no port restrictions.

    Any guidance would be appreciated.  Thanks.



  • I would think many have, especially those with a domain. Those also have to have static IPs. I know that I have that setup. I think perhaps that the error is in the manual config or with an arp entry. With the manual setup are you matching the subnet and gateway of the system when it is setup with DHCP. Also, are you using the local host as your DNS server in your manual config? It might resolve and serve others on the network, but not itself. Perhaps you could also give a bit more details.



  • Thanks Podilarius.  I actually have a rather simple setup.  Let me try to describe, but ask any questions you'd like.

    Running Pfsense 2.0.1-release with two NIC interfaces: WAN and LAN.  Pfsense box sitting behind a SB6120 DOCSIS 3.0 cable modem.
    WAN is obtaining its IP by DHCP from the cablemodem
    LAN is set static IP of 192.168.0.1, subnet 255.255.255.0.

    If I enable the LAN DHCP server on pfsense and define a range, my Windows server will access the internet without issue when set to obtain IP and DNS automatically (ipv4).

    I noticed that once I disable the LAN DHCP server and set my Windows server with static address as follows, I immediately lose internet access.  In other words, the Windows machine is no longer has inbound or outbound internet access, but can access the LAN without any issues.

    Windows server IP: 192.168.0.5
    Subnet: 255.255.255.0
    Gateway: 192.168.0.1 (the pfsense box)

    Primary DNS: 127.0.0.1
    Alternate DNS: 192.168.0.1 (pfsense box)

    Note that this is before I even add the DHCP role or configure the DNS role on the Windows domain server.  FWIW, it appears I can nslookup and ping addresses from the server so it must have enough access to internet to resolve addresses.  However no web or ping attempts ever leave my LAN to the internet.  As web browsing also doesn't work despite IE security being disabled.



  • What is the IP address and subnet mask of your pfSense WAN interface? It had better be in a different subnet from your LAN interface!

    How do you know your ping attempts don't leave the LAN? (Perhaps they leave the LAN but the responses don't come back to the LAN because your WAN and LAN interfaces are in the same subnet.)



  • @wallabybob:

    What is the IP address and subnet mask of your pfSense WAN interface? It had better be in a different subnet from your LAN interface!

    How do you know your ping attempts don't leave the LAN? (Perhaps they leave the LAN but the responses don't come back to the LAN because your WAN and LAN interfaces are in the same subnet.)

    wallabybob, my WAN IP is obtaining it's IP by way of DHCP from my ISP.  I don't believe it's on the same subnet as my LAN.  What is quickest way to tell?


  • LAYER 8 Global Moderator

    "Primary DNS: 127.0.0.1"
    "Note that this is before I even add the DHCP role or configure the DNS role on the Windows domain server."

    So why would you be pointing it to itself for DNS, if you have not configured dns role on it yet?

    So are you going to want the windows box to forward to your isp, pfsense or googledns or opendns, etc.  Or do you want it to use the root hints and lookup dns on its own for your network?

    Are you planning on setting up AD on this windows server?

    What do you want your windows box to do dns for?  is it going to setup AD?

    Here is the thing, the default rules in pfsense block NO access outbound.  So you could query qoogledns, opendns, 4.2.2.2 or roots if you want be it a client, be it a name server itself with clients doing recursive queries to it.

    You need to understand what windows dns is going to be doing - be it forwarding requests it is not authoritative for or using root.hints.

    There is really nothing special do on pfsense to allow you to do that.  I have both windows and a linux box setup as nameservers if I want to query them locally - both use root.hints, or I can query pfsense and it forwards to my isp dns (comcast)

    Generally speaking there is little reason to point to more than 1 nameserver.  Why are you pointing to 127.0.0.1 if you have not setup dns on that box yet?



  • Johnpoz, thanks for your questions.

    Sorry for the confusion. My windows server is running active directory and hosting a domain for my home network.  I'd to have the server as both the authoritative DNS and DHCP server for me network instead of pfsense.  In otherwords, have the windows server issue all DHCP IP addresses for my LAN and resolve all LAN DNS requests.

    I was able to setup DNS on the windows server and enter into the forwarders my pfsense box as well as my ISPs 6 DNS servers.  The windows server can also successfully resolve these numeric IPs to their names (i.e. cdns1.cox.net, etc.).  However it seems pfsense is somehow preventing the windows server itself from accessing the internet.  Perhaps it's because the DHCP server on windows server itself isn't able to successfully issue the win box a DHCP address.

    In my pfsense general settings, I've kept:

    hostname:pfsense
    domain: localdomain (my windows home domain is home.local)
    DNS servers are: 68.105.28.11, 68.105.28.12, etc (Cox ISP DNS)
    checked - allow DNS server list to be overridden by DHCP/PPP on WAN
    checked - do not use the DNS forwarder as a DNS server for the firewall



  • @miles267:

    my WAN IP is obtaining it's IP by way of DHCP from my ISP.  I don't believe it's on the same subnet as my LAN.  What is quickest way to tell?

    In the pfSense web GUI: Status -> Interfaces
    From pfSense shell:/etc/rc.banneror```
    ifconfig



  • Thanks.  OK - I've confirmed that my WAN and LAN IPs are on different subnets.

    WAN IP subnet mask: 255.255.255.128
    LAN IP subnet mark: 255.255.255.0


  • LAYER 8 Global Moderator

    If you server is running AD dns, then you shouldn't be pointing to pfsense as dns on it nor any members should be pointing to anything other than your AD dns (this windows server)

    If you setup pfsense as a forwarder on windows - why would you also point to your isp servers?  If you want to use pfsense that is fine, but why then use your isp.  pfsense would be asking them anyway.

    Again there is NOTHING in the default lan rules that prevents any sort of internet access from any client on your lan network.  So unless you have messed up your netmask or something on the server when you set it static there is nothing different about being dhcp or static for accessing the internet.

    Do a simple ping from the client/server that you setup as static to your pfsense lan ip, then outside like 8.8.8.8 (googledns) or something.

    Then do a query to something outside via nslookup or dig on the client - can it resolve.

    Have you adjusted the default lan rules?  Are you using squid or something (proxy).  Are you doing anything with static arp in the dhcpserver in pfsense?

    there is nothing saying pfsense has to be dhcp or dns to route and nat traffic to the internet for you.  I was at one point setup where windows was my dns and dhcp.  Click click and you should be up and running unless your doing something wrong with your dhcp scope, static settings that put them on a different network then pfsense lan.  Or you have misconfigured dns or have made some changes to the default lan rules on pfsense.



  • @miles267:

    I've confirmed that my WAN and LAN IPs are on different subnets.

    You have confirmed they have different subnet masks!

    You need both the IP address AND subnet mask to determine if they are on different subnets. Please provide the IP addresses as well.



  • Oops. sorry.

    My LAN interface IP of the pfsense box is 192.168.0.1 (subnet mask 255.255.255.0)
    WAN IP: 70.166.137.16 (subnet mask: 255.255.255.128)

    Also, I confirmed that under NAT-Outbound my default rule 'Auto created rule for LAN to WAN' is set to:

    Source: Network
    Address: 192.168.0.0 /24

    Destination: any



  • The setup sounds good. For a test, use the DNS server on the pfSense machine as your DNS and see if you are able to get to the internet? Also when you are setup statically, traceroute to 8.8.8.8 to see if you can get out via IP and not based on name. Are you running any packages?



  • podilarius.  thanks for your help!  It appears I was able to resolve this issue now.  and am able to successfully use 192.168.0.1 (my pfsense box LAN IP) or the google DNS IPs in my DNS forwarder tab on my windows server.



  • @miles267, i have the same problem with yours. can you explain further what you did to solve your issue. Your reply is greatly appreciated.thanks


  • LAYER 8 Global Moderator

    @rtabique - miles267 had issue where he was trying to use INVALID static public IPs on his wan and setting up 1:1 nat to these IPs that were not working!!  So any IP he setup a 1:1 nat for to use these bad public IPs is not going to talk on the internet.  But if it got a dhcp address and was using a different private IP that was setup in the 1:1 it used his dhcp wan IP address and worked just fine.

    He spread his issue about 3 different threads all about the same problem!!!  So you might think your problem is related to his when it is in fact something completely different.

    I find it highly unlikely your also using bad static IPs from your ISP while also trying to use dhcp on your wan interface, while also doing 1:1 nats to these bad IPs? ;)

    Your best bet is to start your own thread and describe the issue your having.


Log in to reply