How to use a Windows DHCP Server on LAN instead of pfSense DHCP Server?



  • I cannot quite figure out how to do this and was hoping someone might be able to assist.  I've installed the DHCP role on my Windows 2012 server.  No issue.

    I have a simple home network.  1 WAN interface obtaining DHCP IP from cable modem.  1 LAN interface on which I'd like to have Windows server issue DHCP addresses.

    I'd like to replace the pfsense DHCP server on my LAN interface with that of the Windows server box.  However, once I do this, the windows server no longer has access to the internet (only the LAN).  In other words, I can no longer browse the internet from the server to test connectivity.

    My pfsense box is static on 192.168.0.1.  More specifically, if I set my Windows Server DHCP scope to 192.168.0.10-20, subnet 255.255.255.0.  Then assign my Windows server a static IP of 192.168.0.5, subnet 255.255.255.0, gateway of 192.168.0.1 (my pfsense box LAN address) and primary DNS 127.0.0.1, alternate DNS 192.168.0.1 (my pfsense gateway), my server can no longer access the internet.

    Whereas, if I re-enable pfsense DHCP server on my LAN and set the server to automatically obtain an IP and DNS IP, I can once again access the internet from the server itself.

    It was my understanding that I'd need to disable DHCP on my LAN but haven't had any luck.



  • few steps.

    1. Disable pfsense dhcp for lan
    2. Enable dhcp from windows
      2.1) Add gateway knowledge(ip of your pfsense lan) to your win dhcp settings
      2.2) Check what dns-servers your scope sends

  • LAYER 8 Global Moderator

    "primary DNS 127.0.0.1, alternate DNS 192.168.0.1 (my pfsense gateway), my server can no longer access the internet."

    And again – you don't want an alternative dns setting here.  If your windows server is running dns for AD.  Then it needs to ONLY POINT TO ITSELF!!  Is dns listening on 127.0.0.1, or is it only listing on 192.168.0.5?

    Now where is screen shot of your nameserver setup in windows - it forwards where?  Point it to 8.8.8.8 and 8.8.4.4 for now!!

    before you do that, on your windows server once you have set it to static - which it HAS to BE to run dhcp server.  Do some simple connectivity tests.  Can it ping pfsense (192.168.0.1) Can it query outside dns..

    So attached is couple test all in one window - you can see Im static, pointing to localhost for dns 127.0.0.1, you can make sure dns is listening on that via netstat -an

    You can see that I can ping my pfsense box 192.168.1.253, Im on .15 with /24 and my dns is 127.0.0.1.  And I have setup windows dns to forward to googledns for this example.

    This took me like 2 minutes to setup.

    Once you setup static - verify you can ping pfsense, verify you can ping outside pfsense (8.8.8.8 for example)  Verify you can query outside dns, for example my nslookup changing server to 8.8.8.8 --- once you have verified connectivity.  If that fails then you must be blocking dns at firewall or host firewall?  Then just setup your dns server in windows to forward to googledns.

    If this works, then we can move to pointing to your ISP dns or doing root hints






  • @Metu69salemi:

    few steps.

    1. Disable pfsense dhcp for lan
    2. Enable dhcp from windows
      2.1) Add gateway knowledge(ip of your pfsense lan) to your win dhcp settings
      2.2) Check what dns-servers your scope sends

    I was able to complete steps 1-2 without issue.  However I am unclear on how to do 2.1-2.2.  For example, I know how to add the DHCP role on the Windows server and how to define a DHCP IP scope (range), but I wasn't sure exactly where to add my pfsense/gateway IP address in the DHCP settings on the win server.  For 2.2 I had my Win server DHCP scope set from 192.168.0.10-20 if that is what you mean?



  • Great news.  Thanks to all of your help, I was able to setup the DNS and DHCP servers on my Windows Server 2012 Essentials box on my home network.

    Now all LAN client PCs are getting DHCP IPs from my Windows server as expected and can access the internet.  However, my windows server itself is still unable to browse the internet.  I cannot seem to figure out what might be blocking that machine.

    Any suggestions on how to determine that?  It's baffling to me.



  • @miles267:

    is still unable to browse the internet.  I cannot seem to figure out what might be blocking that machine.

    What web site sid you attempt to browse? What is reported when you attempt that?

    What is reported when you point your browser to the IP address of the pfSense LAN interface?

    What does the Windows system think is its default gateway?



  • wallabybob, any web site fails just as ping attempts to sites time out.  For example www.google.com, microsoft.com, etc.

    When the server attempts to browse the site, it acts as if the system doesn't have internet access.  In fact, the server box (192.168.0.5) itself appears not to have internet access all around as other apps (usenet, crashplan, etc.) cannot found an internet connection.

    The system thinks its default gateway is 192.168.0.1.

    FWIW, all other client PCs on my LAN can access the internet fine thru the pfsense router so it must be something specific to this machine.  A tracert to www.google.com from another client PC on my LAN returns:

    Tracing route to www.google.com [74.125.227.146]
    over a maximum of 30 hops:

    1    20 ms    33 ms    13 ms  pfsense.localdomain [192.168.0.1]
      2    *      21 ms    24 ms  10.54.16.1
      3    28 ms    15 ms    26 ms  70.183.68.45
      4    27 ms    28 ms    *    kscydsrj01-ae0.rd.ks.cox.net [70.183.71.85]
      5    34 ms    *      29 ms  70.183.66.246
      6    34 ms    *      33 ms  70.183.71.65
      7    *      33 ms    45 ms  68.1.5.140
      8    43 ms    55 ms    50 ms  72.14.212.233
      9    44 ms    46 ms    33 ms  72.14.233.67
    10    *        *      60 ms  216.239.43.187
    11    54 ms    41 ms    45 ms  dfw06s17-in-f18.1e100.net [74.125.227.146]

    Trace complete.

    A tracert from the server (192.168.0.5) to www.google.com goes to pfsense.localdomain then times out.  Doesn't appear to leave the router?


  • LAYER 8 Global Moderator

    But you say it works if its dhcp.  You sure your not blocking .5 in your lan rules?  Or are you doing something wrong with nat and the .5 address?



  • OK - so after additional troubleshooting, it appears that as soon as I add a NAT > 1:1 mapping from one of my ISP's static public IPs to my windows server box of 192.168.0.5, the 192.168.0.5 is losing outbound internet access.

    If I then reboot pfsense, it restores internet connectivity for 192.168.0.5 for a few minutes but quickly disconnects until rebooted again.  Whereas, if I then remove the 1:1 mapping and reboot, connectivity is once again restored.

    Ultimately, I am wanting to register one of my static ISP public IPs to my 192.168.0.5 so that I can RDP into the server from the internet by way of it's ISP public IP.

    Should I be doing this differently?


  • LAYER 8 Global Moderator

    So do you have static IPs?  Thought you said you got your IPs from you cable modem via dhcp?

    Accessing your server behind pfsense does not require a 1:1 nat - just port forward 3389 (remote desktop) to your servers private IP.

    I would suggest you vpn to your pfsense box, and then you can access whatever you want on the inside of your pfsense.  VPN going to be more secure than just rdp open to the public.



  • Yes - I apologize for the confusion.  My ISP has issued me 5 static IPs.  Call them 200.x.x.1, 200.x.x.2, etc.

    Prior to using my Windows Server (LAN IP 192.168.0.5) as a DHCP and DNS server, I used pfsense's built-in DHCP server.  At that time, I was able to:

    1.) setup Virtual IPs of 200.x.x.1, 200.x.x.2, etc. (I used the IP Alias option there)
    2.) Go into NAT > 1:1 and map a WAN IP to a LAN IP.  For example: 200.x.x.1 would point to 192.168.0.5
    3.) Use Firewall > Rules (WAN) to define ports so that WAN access to 200.x.x.1:3389 would go to 192.168.0.5:3389

    However, since I've disabled pfsense's DHCP server in favor of running DHCP on 192.168.0.5, when I try to do this, it completely blocks all internet access (both directions) to 192.168.0.5.  For example, if I now point NAT > 1:1 of 200.x.x.2 to 192.168.0.5 for FTP, web access, etc., suddenly the 192.168.0.5 box can no longer access the internet until I remove the NAT > 1:1 mapping.

    Can't figure out how to point public static IP 200.x.x.1 to 192.168.0.5 without using Virtual IP and a NAT 1:1 mapping.  Perhaps under Virtual IP I should be using CARP or something other than IP Alias, but I'm a bit unclear.  Hope this helps.  Thanks again!



  • @miles267:

    However, since I've disabled pfsense's DHCP server in favor of running DHCP on 192.168.0.5, when I try to do this, it completely blocks all internet access (both directions) to 192.168.0.5.

    It is hard for me to imagine how enabling/disabling DHCP server on LAN would allow/block internet access from 192.168.0.5. Perhaps there is something else you are doing that you haven't told us yet.


  • LAYER 8 Global Moderator

    "1 WAN interface obtaining DHCP IP from cable modem."
    "My ISP has issued me 5 static IPs.  Call them 200.x.x.1, 200.x.x.2, etc."

    You sure about that??  That your static IPs are active?  Are they in the same segment as the IP you get via dhcp?  Normally if you got static IPs from your ISP  you wouldn't be using dhcp on your wan interface but static with one of the IPs you got.

    I am thinking your getting say a 24.13 or something address via dhcp, and then your trying to use a 200. address as your public for your 1:1 – which no prob not going to work.

    Setup pfsense with first IP in your static -- get that working, then you can do your 1:1 setup.

    I have never ever heard of using dhcp on wan, and then adding static assigned IPs??  Makes no sense at all.



  • @johnpoz:

    That your static IPs are active?

    It would be a problem with 1:1 NAT and those static IPs inactive. But this setup supposedly works if DHCP server is enabled on pfSense LAN! How does DHCP server affect ISP routing to those static IPs?  :)

    @johnpoz:

    I have never ever heard of using dhcp on wan, and then adding static assigned IPs??  Makes no sense at all.

    Always get the same address from DHCP?


  • LAYER 8 Global Moderator

    your not using .5 when your dhcp now are you - so that 1:1 nat would not be active.

    Are you saying you setup the 1:1 nat with the dhcp address you get and that works??

    I just don't see how your wan is dhcp and then your adding static vips to that..  That just makes no sense at all!



  • Sorry, to clarify, 192.168.0.5 is my win server.  So it's my DHCP and DNS server address.  My LAN DHCP range is 192.168.0.10-20.
    Should .5 be a reservation within my DHCP range?  In other words, 192.168.0.5-20?


  • LAYER 8 Global Moderator

    no that has nothing to do with your issue of your 1:1 NAT on static while your wan interface is using dhcp.  When you use dhcp your getting say .10 which is not using your 1:1 nat to your static that doesn't work.  Which would then prevent your win server from going out when using the 1:1 nat that is not working.



  • Turns out my original set of static IPs from my ISP were bad all along.  They've since issued me a new block of 5 IPs.  The first static IP in the series has been accepted by pfsense WAN interface (static) as expected along with the netmask and gateway.  All the issues that previously "didn't make sense" were due to the invalid static IPs I had been issued.

    Not only am I back online with a static WAN IP, but my NAT 1:1 mapping is working with the other static IPs in the range as I had hoped.

    Thanks to everyone for helping me to determine the root cause of the issue.



  • @miles267:

    Turns out my original set of static IPs from my ISP were bad all along.

    That explains why it didn't work. However it doesn't explain why it worked/notworked according to whether pfSense DHCP server was disabled/enabled. Can you explain that?


  • LAYER 8 Global Moderator

    Yeah it does, because he using dhcp for his wan IP.  This worked, but setting his 1:1 nat to some static that was not valid.  So when he set ip to .5 for the 1:1 nat does not work.

    When set to dhcp and got .10 address not 1:1 nat and used his dhcp gotten wan IP to get to internet worked just fine.



  • @johnpoz:

    Yeah it does, because he using dhcp for his wan IP.  This worked, but setting his 1:1 nat to some static that was not valid.  So when he set ip to .5 for the 1:1 nat does not work.

    When set to dhcp and got .10 address not 1:1 nat and used his dhcp gotten wan IP to get to internet worked just fine.

    Thanks.


Log in to reply