PfSense + Windows Server



  • Hello,
    I've got a Windows Server 2012 with AD DC, DNS, and DHCP, pfSense machine with three nics, and Several windows machines 1 XP and several 7's.

    What I'm trying to do is:                    Modem<–----->pfSense<----------->Server 2012
                                                                                    ^
                                                                                    |
                                                                                    |
                                                                                    |
                                                                                    V
                                                                                  LAN

    I want the Server to manage DHCP, DNS, and the AD DC for the LAN machines. Right now the XP machine can ping the server but the server can't ping the Client XP Machine. Does anybody have an solutions?



  • Make sure you add firewall rules on the server 2012 tab to allow your ttraffic from the Server 2012 pfsense subnet to the LAN subnet. 
    PfSense isn't like a PIX with a concept of higher and lower security interfaces where traffic is automatically allowed from the higher security to the lower security interfaces. 
    You have to define all the traffic you want to allow in the Firewall -> Rules section.



  • I've added all the rules needed and it has moved to Destination host unreachable.



  • Post some IP info.

    Show us the rules you put in.

    Are you seeing blocks in the logs?

    Have you turned off the software firewall on your clients?



  • Why not just put the AD server on the LAN?  No need to make things more difficult than they need to be.



  • @mhab12:

    Why not just put the AD server on the LAN?  No need to make things more difficult than they need to be.

    I like the idea server to be on separated (V)LAN. Firewall rules for server access will go to pfSense, not to Windows Firewall.
    But show your IP and interface info please.



  • @anthix:

    I want the Server to manage DHCP, DNS, and the AD DC for the LAN machines.

    Because the Server is not on the LAN you will need to enable and configure DHCP Relay on pfSense.

    @anthix:

    Right now the XP machine can ping the server but the server can't ping the Client XP Machine.

    The DEFAULT firewall rules allow machines on LAN to connect anywhere and all access from machines on other interfaces is blocked. You need a firewall rule on the pfSense OPTx interface to allow the server to connect to appropriate systems on the LAN.



  • I want my servers to be on one interface and then the LAN on the other because I need my servers to be secure. Everything looks right from what everything everybody has said but it still isn't working. The XP Machine's IP is 10.1.2.100. It is static because it wont get a number from the DHCP server

    pfSense = 10.1.2.1
    Server 2012 = 10.1.2.2

    Firewall Rules:

    DHCP Relay:

    Interfaces:



  • @anthix:

    but it still isn't working.

    It would help the readers to help you if you were more specific than "not working". Does "not working" refer to the DHCP issue or a number of issues.

    There are some ambiguities and problems in your configuration.

    @anthix:

    The XP Machine's IP is 10.1.2.100. It is static because it wont get a number from the DHCP server

    pfSense = 10.1.2.1
    Server 2012 = 10.1.2.2

    Your interfaces screenshot gives these IP addresses:  LAN: 10.1.2.1 and SER1: 10.2.1.1 Perhaps there is a typing error in the SER1 IP address.

    You haven't provided the network masks for your interfaces (please post the output of pfSense shell command /etc/rc.banner ) so it is difficult to know if you have an invalid configuration (overlapping address ranges).

    DHCP Relay should be configured to listen on the LAN interface rather than SER1 (relay requests from LAN interface).

    You probably have a number of redundant firewall rules but that shouldn't hurt.



  • I'm sorry I made an error they are both 10.1.2.1. As of right now DHCP, and AD DC isn't passing through the firewall nor can I ping the XP Client. I'll have more details in a couple of minutes.



  • Please provide masks for each device.



  • Are you referring to the subnet mask? The Subnet Mask is 255.0.0.0 for both.



  • I'm curious why you bothered putting your servers on a different interface and then configured it on the same network as your rest of your network?  10.1.2.1/8 and 10.2.1.1/8 are on the same network.  I'm not sure this is your only issue, but it's at least half of it if not more.



  • Both Nic Cards have the IP 10.1.2.1. I'm doing this because I 1) want to monitor the traffic and 2) want to keep people out of my server when they're using the lab computers.



  • Someone chime in if I have this wrong… but right now you have a subnetting issue.  Your masks are WAY too wide... I"m 99.9999% sure you don't need 16+ million IP's in your LAN.

    Your two LANs are in the same network, so when the your servers are pinging out they are looking for answers from devices in the same LAN segment... it doesn't need a router to tell it how to get to the other network because again 10.1.2.1/8 and 10.2.1.1/8 are in the same subnet.

    Your ping requests are not traversing the firewall because it thinks it doens't have to.

    You need to fix your subnetting.



  • @anthix:

    Both Nic Cards have the IP 10.1.2.1.

    A quick count of what you have told us about suggests there are at least 5 NICs. Which specific NICs are you talking about? A very good guide is that (unless you know what you are doing and have thought about it carefully) each NIC should have a unique address.But that is not sufficient to give you a working network.

    It is probably a failure of my imagination but I don't see how @anthix:

    Both Nic Cards have the IP 10.1.2.1.

    will accomplish  either @anthix:

    monitor the traffic

    or @anthix:

    keep people out of my server when they're using the lab computers.

    My suggestion: pfSense LAN IP: 10.0.0.1 with netmask size of 16 (255.255.0.0)
    pfSense: SER1 IP: 10.1.0.1 with netmask size of 24 (255.255.255.0)
    Windows server 10.1.0.2 with netmask 255.255.0.0 and default gateway 10.1.0.1.
    Let pfSense handle DHCP on the LAN. (I don't know if Windows DHCP will allocate IP addresses outside its own subnet.)

    You might find it informative to read an introduction to IP Routing such as the Wikipedia article on the topic.


Log in to reply