Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS & DHCP over Server 2003

    DHCP and DNS
    2
    9
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      IGM82
      last edited by

      Hi,

      I've recently deployed a pfsense installation without DHCP neither DNS services, because this services it's going to be running on 2 DC's with Server 2003.

      What is necessary to do on DC's & pfsense for the computers to make them accessible to the internet through the pfsense? With manual IP and DNS configuration, it's possible to do this.
      On pfsense, i've the WAN configured with 2 DNS ip address from the ISP, but I don't know if this is correct.

      Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So you want your 2k3 dhcp clients to be able to use the internet via pfsense, and using dns of your 2k3 boxes lookup say www.pfsense.org, etc.

        Well what is the IP address of your pfsense LAN?  Lets call it 192.168.1.1/24 and lets say your dc's are 192.168.1.2 and .3, and lets say your clients get 192.168.1.10-200 as their IPs

        So on dhcp scope you need to set pfsense as your gateway/router 192.168.1.1 and the IPs of your DCs running dns as clients dns so 192.168.1.2 and .3

        on your 2k3 dcs - you need to setup dns to either directly ask roots, or forward to either your isp dns, opendns, googledns, etc.

        There you go - done.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • I
          IGM82
          last edited by

          Easy! Thank you for your answer!

          It's done but it fails… The DHCP services works giving IP adresses, but no access to internet.
          I've reinstalled again DNS services in both DC servers properly...  ???
          there is an additional setup in order to make this works?
          where is the 'logical connection' or 'setup' between ISP DNS servers and DC's DNS servers?

          I've read about Routing&RAS services in DC's... could be this an additional setup to be done?

          Thanks!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            No you don't need any routing/ras on the DC..  Just need to configure your DNS to forward to your ISP dns, opendns, googledns or roots directly.  And have pfsense allow outbound traffic to either those specific IPs on udp/tcp 53 or any on 53.

            I think I have a 2k8 box as vm I could fire up and show you were to configure the dns service to forward?  If that is your question.

            edit:  You know when you say "I've reinstalled again DNS services in both DC servers properly… " This sounds like your running Active directly to me, if you when you say DC you mean Domain Controller.

            What is the output of one of your clients ipconfig /all ?

            What is it using for dns, can it query say your dcname.yourdomain.tld via something as simple as ping that name?

            You need to configure forwarders on your dns service - here
            http://technet.microsoft.com/en-us/library/cc773370%28v=ws.10%29.aspx
            Configure a DNS server to use forwarders

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • I
              IGM82
              last edited by

              Hi,

              Finally it's working now!

              The problem was outbound traffic rule. I had to enable traffic on udp/tcp port 53  :)

              When I said about 'reinstalling again DNS services', I mean I've reinstalled DNS services without demote DC's ;)

              Thank you very much for your help johnpoz.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well you must of locked down the rules then from default, because the default rules in pfsense is allow anything from lan subnet to ANY.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • I
                  IGM82
                  last edited by

                  Hi,
                  Now I have:

                  1. PASS. Destination: Lan Address. Ports: 443, 80, 22 Description: Anti-Lockout rule
                  2. PASS. Source: 'ADMIN' alias (which is included my computer)
                  3. PASS. Source: LAN net. Ports: 'General Ports' alias (which is included TCP/UDP ports like 80, 443, 553, 23, 21…)

                  If not is indicated, the rest is blocked by default, isn't it?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    If you remove or edit the DEFAULT rule that pfsense sets up out of the box then yes you have to allow 53 either to pfsense dnsmasq or some outside dns

                    But yeah, once you start limiting traffic, if there is not a pass then default block is there

                    553 guessing that is a typo ;)  That sure isn't a typical port.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • I
                      IGM82
                      last edited by

                      OK!
                      @johnpoz:

                      553 guessing that is a typo ;)  That sure isn't a typical port.

                      Oops… for sure! I meant 53 of course  ;D

                      Thanks a lot!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.