PfSense and WSUS. Please help.



  • Hi
    I am having some problems getting WSUS to work after I installed a PfSense as firewall/router on and old computer. This is all in my home network for learning purposes.
    so both WAN and LAN side is in my internal network. The problem is that I had a fully functional WSUS server before I startet using the pfsense router. All clients and the server is connected to a switch on the lan side. I havent done anything with VLAN, so all are in the same subnett aswell.
    After pfsense the WSUS server no longer finds the clients. But I can ping the WSUS server from all the clients. I hade all the clients connect to WSUS using GPO before I changed to pfSense. The WSUS server is my Domain controller 2, while I am running DHCP and DNS from my Domain Controller 1.

    I am currently a Network administrator student, so i am still very much a noob. But I am working hard to build a foundation of knowledge as I really like this stuff :) so I would really really appreciate any help to resolve this issue. I dont really know how to identify what the problem actually is :/ I asume this has something to do with firewall?

    Please help



  • One of my teachers once said: Drawings are the language of technicians.
    Show us your setup. The way you describe it leaves room for interpretation.


  • Rebel Alliance Global Moderator

    Pfsense has nothing do with client talking to clients on the same network/vlan - pfsense would only be used to get off a network..

    Sounds like your using your AD setup for your dns and dhcp…  Did you change your network address space when you installed pfsense, did you go from 192.168.1.0/24 to 192.168.2.0/24 or something??

    "WSUS server no longer finds the clients"

    What is it using for dns?  Can it ping the clients by IP?

    Again - pfsense has NOTING to do with lan trafffic.. Your wsus talking to clients and finding them either via broadcast or dns or wins even has NOTING to do with pfsense in the way you have described your network.



  • Hi,  Thanks for replies!

    My setup is:

    LanSwitch(192.168.20.2/24) –> PfSense(192.168.20.1/24) --> WanSwitch(192.168.20.3/24) --> ISP Router

    DC1 192.168.20.10/24 (DHCP, DNS)
    DC2 192.168.20.11/24 (WDS, WSUS)

    All clients and Domain controllers are Virtual machines that is physically connected to the lan switch.

    I did switch ip network when I changed to pfSense, but have since then removed the DHCP role and DNS and set it upp again. my WDS Role works fine btw.

    I have not done anything in the PfSense router when it comes to DNS, But I have made sure DHCP is turned off.

    I am going to try and set up DHCP again and see if it might be something with the DNS settings in the pfSense router that is messing things upp for me. Will update on how it goes :) really appreciate the replies! :)

    Sorry if my english is bad!



  • One difference I can think of is that before I setup pfSense, I used a Asus router instead without the lan switch. just used the 4 ports in the router.
    The switches are of the cheap manageble ZyXel 8-port kind. in the switches, the only thing I have changed is the IP. Is there something else I should have done in the switch for broadcast to work with WSUS?


  • Rebel Alliance Global Moderator

    "LanSwitch(192.168.20.2/24) –> PfSense(192.168.20.1/24) --> WanSwitch(192.168.20.3/24)"

    That is completely and utterly BROKEN!!!  Did you setup pfsense as a transparent bridge firewall??

    Where are you clients and where is your servers?  You don't use the same network on different sides of a router..

    What is your isp device?  When you say wan switch do you mean the 4 ports that is on this device?  What is this lan switch?

    Do this!  See how the networks are DIFFERENT..  Do you want/need devices connected on both sides of pfsense when you say lan and wan??  Do you want/need to firewall between devices?  ALL your devices should be on the LAN side..  And if possible you should put your isp device into bridge/modem mode so pfsense gets a public IP on its wan interface.

    "All clients and Domain controllers are Virtual machines that is physically connected to the lan switch."
    IF all your clients are vms on a host.. You don't even need a physical network switch for them to talk to each other..




  • dont have the same network on both sides. ISP router is 10.0.0.138 while wan side of pfsense is 10.0.0.50. ip of the switch is 192.168.20.xx is becaus it seemed like the only way it would be manageble from within the network.
    Like a said before, this has no other purpose then for learning…


  • Rebel Alliance Global Moderator

    "dont have the same network on both sides."

    What does this look like??
    ""LanSwitch(192.168.20.2/24) –> PfSense(192.168.20.1/24) --> WanSwitch(192.168.20.3/24)""

    Why would you not say 10.0.0.x/? is your wan network??

    And lets go over it yet again... if all your devices are on 192.168.20.0/24 or what ever network then pfsense has NOTHING to do with them talking to each other..  Your wsus not finding your clients has NOTHING to do with pfsense if they are all on that same network..

    Unless you have pfsense setup a a bridge and you have devices on different sides of the bridge pfsense has nothing to do with them talking to each other.  If they are all on the same vm host connected to the same vm network, or connected to a physical switch pfsense has nothing to do with their conversations.

    Now if you were trying use pfsense dns be it the forwarder or unbound to resolve your host names - then there would be something to discuss with pfsense.  whatever you problem is it has nothing to do with pfsense.

    More than happy to help you fix it..  So your wus is what IP?  And your client you can not resolve is what IP?  And how are they connected?  They connected to the same vswitch in esxi?  Hyper-V? what??  You say devices can ping wsus but wus can not ping them by name, ip??  Do you see a mac in your arp table?



  • @johnpoz:

    "dont have the same network on both sides."

    What does this look like??
    ""LanSwitch(192.168.20.2/24) –> PfSense(192.168.20.1/24) --> WanSwitch(192.168.20.3/24)""

    Why would you not say 10.0.0.x/? is your wan network??

    There's a reason why I'm saying: Give us a drawing!
    What you did was re-phrase it. Not re-draw.
    If you want our help you should get us in a position to help you.