Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to use a Windows DHCP Server on LAN instead of pfSense DHCP Server?

    Scheduled Pinned Locked Moved DHCP and DNS
    21 Posts 4 Posters 20.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      miles267
      last edited by

      I cannot quite figure out how to do this and was hoping someone might be able to assist.  I've installed the DHCP role on my Windows 2012 server.  No issue.

      I have a simple home network.  1 WAN interface obtaining DHCP IP from cable modem.  1 LAN interface on which I'd like to have Windows server issue DHCP addresses.

      I'd like to replace the pfsense DHCP server on my LAN interface with that of the Windows server box.  However, once I do this, the windows server no longer has access to the internet (only the LAN).  In other words, I can no longer browse the internet from the server to test connectivity.

      My pfsense box is static on 192.168.0.1.  More specifically, if I set my Windows Server DHCP scope to 192.168.0.10-20, subnet 255.255.255.0.  Then assign my Windows server a static IP of 192.168.0.5, subnet 255.255.255.0, gateway of 192.168.0.1 (my pfsense box LAN address) and primary DNS 127.0.0.1, alternate DNS 192.168.0.1 (my pfsense gateway), my server can no longer access the internet.

      Whereas, if I re-enable pfsense DHCP server on my LAN and set the server to automatically obtain an IP and DNS IP, I can once again access the internet from the server itself.

      It was my understanding that I'd need to disable DHCP on my LAN but haven't had any luck.

      1 Reply Last reply Reply Quote 0
      • M Offline
        Metu69salemi
        last edited by

        few steps.

        1. Disable pfsense dhcp for lan
        2. Enable dhcp from windows
          2.1) Add gateway knowledge(ip of your pfsense lan) to your win dhcp settings
          2.2) Check what dns-servers your scope sends
        1 Reply Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator
          last edited by

          "primary DNS 127.0.0.1, alternate DNS 192.168.0.1 (my pfsense gateway), my server can no longer access the internet."

          And again – you don't want an alternative dns setting here.  If your windows server is running dns for AD.  Then it needs to ONLY POINT TO ITSELF!!  Is dns listening on 127.0.0.1, or is it only listing on 192.168.0.5?

          Now where is screen shot of your nameserver setup in windows - it forwards where?  Point it to 8.8.8.8 and 8.8.4.4 for now!!

          before you do that, on your windows server once you have set it to static - which it HAS to BE to run dhcp server.  Do some simple connectivity tests.  Can it ping pfsense (192.168.0.1) Can it query outside dns..

          So attached is couple test all in one window - you can see Im static, pointing to localhost for dns 127.0.0.1, you can make sure dns is listening on that via netstat -an

          You can see that I can ping my pfsense box 192.168.1.253, Im on .15 with /24 and my dns is 127.0.0.1.  And I have setup windows dns to forward to googledns for this example.

          This took me like 2 minutes to setup.

          Once you setup static - verify you can ping pfsense, verify you can ping outside pfsense (8.8.8.8 for example)  Verify you can query outside dns, for example my nslookup changing server to 8.8.8.8 --- once you have verified connectivity.  If that fails then you must be blocking dns at firewall or host firewall?  Then just setup your dns server in windows to forward to googledns.

          If this works, then we can move to pointing to your ISP dns or doing root hints

          ipconfig2k8.jpg_thumb
          ipconfig2k8.jpg
          forwarders2k8.jpg
          forwarders2k8.jpg_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • M Offline
            miles267
            last edited by

            @Metu69salemi:

            few steps.

            1. Disable pfsense dhcp for lan
            2. Enable dhcp from windows
              2.1) Add gateway knowledge(ip of your pfsense lan) to your win dhcp settings
              2.2) Check what dns-servers your scope sends

            I was able to complete steps 1-2 without issue.  However I am unclear on how to do 2.1-2.2.  For example, I know how to add the DHCP role on the Windows server and how to define a DHCP IP scope (range), but I wasn't sure exactly where to add my pfsense/gateway IP address in the DHCP settings on the win server.  For 2.2 I had my Win server DHCP scope set from 192.168.0.10-20 if that is what you mean?

            1 Reply Last reply Reply Quote 0
            • M Offline
              miles267
              last edited by

              Great news.  Thanks to all of your help, I was able to setup the DNS and DHCP servers on my Windows Server 2012 Essentials box on my home network.

              Now all LAN client PCs are getting DHCP IPs from my Windows server as expected and can access the internet.  However, my windows server itself is still unable to browse the internet.  I cannot seem to figure out what might be blocking that machine.

              Any suggestions on how to determine that?  It's baffling to me.

              1 Reply Last reply Reply Quote 0
              • W Offline
                wallabybob
                last edited by

                @miles267:

                is still unable to browse the internet.  I cannot seem to figure out what might be blocking that machine.

                What web site sid you attempt to browse? What is reported when you attempt that?

                What is reported when you point your browser to the IP address of the pfSense LAN interface?

                What does the Windows system think is its default gateway?

                1 Reply Last reply Reply Quote 0
                • M Offline
                  miles267
                  last edited by

                  wallabybob, any web site fails just as ping attempts to sites time out.  For example www.google.com, microsoft.com, etc.

                  When the server attempts to browse the site, it acts as if the system doesn't have internet access.  In fact, the server box (192.168.0.5) itself appears not to have internet access all around as other apps (usenet, crashplan, etc.) cannot found an internet connection.

                  The system thinks its default gateway is 192.168.0.1.

                  FWIW, all other client PCs on my LAN can access the internet fine thru the pfsense router so it must be something specific to this machine.  A tracert to www.google.com from another client PC on my LAN returns:

                  Tracing route to www.google.com [74.125.227.146]
                  over a maximum of 30 hops:

                  1    20 ms    33 ms    13 ms  pfsense.localdomain [192.168.0.1]
                    2    *      21 ms    24 ms  10.54.16.1
                    3    28 ms    15 ms    26 ms  70.183.68.45
                    4    27 ms    28 ms    *    kscydsrj01-ae0.rd.ks.cox.net [70.183.71.85]
                    5    34 ms    *      29 ms  70.183.66.246
                    6    34 ms    *      33 ms  70.183.71.65
                    7    *      33 ms    45 ms  68.1.5.140
                    8    43 ms    55 ms    50 ms  72.14.212.233
                    9    44 ms    46 ms    33 ms  72.14.233.67
                  10    *        *      60 ms  216.239.43.187
                  11    54 ms    41 ms    45 ms  dfw06s17-in-f18.1e100.net [74.125.227.146]

                  Trace complete.

                  A tracert from the server (192.168.0.5) to www.google.com goes to pfsense.localdomain then times out.  Doesn't appear to leave the router?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    But you say it works if its dhcp.  You sure your not blocking .5 in your lan rules?  Or are you doing something wrong with nat and the .5 address?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      miles267
                      last edited by

                      OK - so after additional troubleshooting, it appears that as soon as I add a NAT > 1:1 mapping from one of my ISP's static public IPs to my windows server box of 192.168.0.5, the 192.168.0.5 is losing outbound internet access.

                      If I then reboot pfsense, it restores internet connectivity for 192.168.0.5 for a few minutes but quickly disconnects until rebooted again.  Whereas, if I then remove the 1:1 mapping and reboot, connectivity is once again restored.

                      Ultimately, I am wanting to register one of my static ISP public IPs to my 192.168.0.5 so that I can RDP into the server from the internet by way of it's ISP public IP.

                      Should I be doing this differently?

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        So do you have static IPs?  Thought you said you got your IPs from you cable modem via dhcp?

                        Accessing your server behind pfsense does not require a 1:1 nat - just port forward 3389 (remote desktop) to your servers private IP.

                        I would suggest you vpn to your pfsense box, and then you can access whatever you want on the inside of your pfsense.  VPN going to be more secure than just rdp open to the public.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          miles267
                          last edited by

                          Yes - I apologize for the confusion.  My ISP has issued me 5 static IPs.  Call them 200.x.x.1, 200.x.x.2, etc.

                          Prior to using my Windows Server (LAN IP 192.168.0.5) as a DHCP and DNS server, I used pfsense's built-in DHCP server.  At that time, I was able to:

                          1.) setup Virtual IPs of 200.x.x.1, 200.x.x.2, etc. (I used the IP Alias option there)
                          2.) Go into NAT > 1:1 and map a WAN IP to a LAN IP.  For example: 200.x.x.1 would point to 192.168.0.5
                          3.) Use Firewall > Rules (WAN) to define ports so that WAN access to 200.x.x.1:3389 would go to 192.168.0.5:3389

                          However, since I've disabled pfsense's DHCP server in favor of running DHCP on 192.168.0.5, when I try to do this, it completely blocks all internet access (both directions) to 192.168.0.5.  For example, if I now point NAT > 1:1 of 200.x.x.2 to 192.168.0.5 for FTP, web access, etc., suddenly the 192.168.0.5 box can no longer access the internet until I remove the NAT > 1:1 mapping.

                          Can't figure out how to point public static IP 200.x.x.1 to 192.168.0.5 without using Virtual IP and a NAT 1:1 mapping.  Perhaps under Virtual IP I should be using CARP or something other than IP Alias, but I'm a bit unclear.  Hope this helps.  Thanks again!

                          1 Reply Last reply Reply Quote 0
                          • W Offline
                            wallabybob
                            last edited by

                            @miles267:

                            However, since I've disabled pfsense's DHCP server in favor of running DHCP on 192.168.0.5, when I try to do this, it completely blocks all internet access (both directions) to 192.168.0.5.

                            It is hard for me to imagine how enabling/disabling DHCP server on LAN would allow/block internet access from 192.168.0.5. Perhaps there is something else you are doing that you haven't told us yet.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Online
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              "1 WAN interface obtaining DHCP IP from cable modem."
                              "My ISP has issued me 5 static IPs.  Call them 200.x.x.1, 200.x.x.2, etc."

                              You sure about that??  That your static IPs are active?  Are they in the same segment as the IP you get via dhcp?  Normally if you got static IPs from your ISP  you wouldn't be using dhcp on your wan interface but static with one of the IPs you got.

                              I am thinking your getting say a 24.13 or something address via dhcp, and then your trying to use a 200. address as your public for your 1:1 – which no prob not going to work.

                              Setup pfsense with first IP in your static -- get that working, then you can do your 1:1 setup.

                              I have never ever heard of using dhcp on wan, and then adding static assigned IPs??  Makes no sense at all.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              1 Reply Last reply Reply Quote 0
                              • W Offline
                                wallabybob
                                last edited by

                                @johnpoz:

                                That your static IPs are active?

                                It would be a problem with 1:1 NAT and those static IPs inactive. But this setup supposedly works if DHCP server is enabled on pfSense LAN! How does DHCP server affect ISP routing to those static IPs?  :)

                                @johnpoz:

                                I have never ever heard of using dhcp on wan, and then adding static assigned IPs??  Makes no sense at all.

                                Always get the same address from DHCP?

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Online
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  your not using .5 when your dhcp now are you - so that 1:1 nat would not be active.

                                  Are you saying you setup the 1:1 nat with the dhcp address you get and that works??

                                  I just don't see how your wan is dhcp and then your adding static vips to that..  That just makes no sense at all!

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                  1 Reply Last reply Reply Quote 0
                                  • M Offline
                                    miles267
                                    last edited by

                                    Sorry, to clarify, 192.168.0.5 is my win server.  So it's my DHCP and DNS server address.  My LAN DHCP range is 192.168.0.10-20.
                                    Should .5 be a reservation within my DHCP range?  In other words, 192.168.0.5-20?

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ Online
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      no that has nothing to do with your issue of your 1:1 NAT on static while your wan interface is using dhcp.  When you use dhcp your getting say .10 which is not using your 1:1 nat to your static that doesn't work.  Which would then prevent your win server from going out when using the 1:1 nat that is not working.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      1 Reply Last reply Reply Quote 0
                                      • M Offline
                                        miles267
                                        last edited by

                                        Turns out my original set of static IPs from my ISP were bad all along.  They've since issued me a new block of 5 IPs.  The first static IP in the series has been accepted by pfsense WAN interface (static) as expected along with the netmask and gateway.  All the issues that previously "didn't make sense" were due to the invalid static IPs I had been issued.

                                        Not only am I back online with a static WAN IP, but my NAT 1:1 mapping is working with the other static IPs in the range as I had hoped.

                                        Thanks to everyone for helping me to determine the root cause of the issue.

                                        1 Reply Last reply Reply Quote 0
                                        • W Offline
                                          wallabybob
                                          last edited by

                                          @miles267:

                                          Turns out my original set of static IPs from my ISP were bad all along.

                                          That explains why it didn't work. However it doesn't explain why it worked/notworked according to whether pfSense DHCP server was disabled/enabled. Can you explain that?

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Online
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Yeah it does, because he using dhcp for his wan IP.  This worked, but setting his 1:1 nat to some static that was not valid.  So when he set ip to .5 for the 1:1 nat does not work.

                                            When set to dhcp and got .10 address not 1:1 nat and used his dhcp gotten wan IP to get to internet worked just fine.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.