Setting PfSense in Windows Server enviroment

[kngzeng]

Hi, I'm setting up pfsense in a Windows Server enviroment, I want pfsense to manage NAT and Firewall, Windows Server managing DNS, AD and DHCP. I'm fairly new to pfsense and still learning and researching on the web. If anyone could give me a little tutorial or a checklist of what should be disabled in pfsense for a stable configuration. 

 

I already configured it in a test setup, but when any new computer connects to the network it takes about 30-45 seconds to complete the connection and be ready to surf the web, and I don't really know why this happens.

 

This was my test setup.

 

PfSense

IP: 10.0.1.1

DNS: 127.0.0.1

8.8.8.8

8.8.4.4

DHCP disabled

DNS disabled

All other settings stayed as default.

 

Windows Server:

IP: 10.0.1.5

Network adapter DNS: 127.0.0.1

DHCP configured to give 10.0.1.10-10.0.1.100

 

Clients were receiving IP address correctly and DHCP was configuring the clients with 10.0.1.1 as gateway, 10.0.1.5 as DNS and DHCP Server.

 

I think I have missed a lot of steps and many will tell me I'm a complete idiot hehehe. But it worked fine, just that the clients were receiving the DHCP acknowledgement/configuration very slowly. I'm open to any critiques  Thanks

 

[Bittenfleax]

4 hours ago, kngzeng said:

-snip-

 

Is there enough resources? 

 

What are the specs of your pfSense box and Win Server?

 

What Win Server is it btw? 

[leadeater]

6 hours ago, kngzeng said:

PfSense

IP: 10.0.1.1

DNS: 127.0.0.1

8.8.8.8

8.8.4.4

DHCP disabled

DNS disabled

All other settings stayed as default.

 

Windows Server:

IP: 10.0.1.5

Network adapter DNS: 127.0.0.1

DHCP configured to give 10.0.1.10-10.0.1.100

 

Clients were receiving IP address correctly and DHCP was configuring the clients with 10.0.1.1 as gateway, 10.0.1.5 as DNS and DHCP Server.

Why is 127.0.0.1 set as a DNS server address on your pfsense? If it's not running any DNS server or relaying services this will cause timeouts for address lookup before failing through to the next DNS server on the list.

[Mark77]

8.8.8.8 hits you with a lot of latency that is completely unnecessary.

[.:MARK:.]

Well if you're running your own DNS with AD, why would you set your DNS servers to Google?

[kngzeng]

19 hours ago, Bittenfleax said:

Is there enough resources? 

 

What are the specs of your pfSense box and Win Server?

 

What Win Server is it btw? 

Nah, I dont think it's lacking resources, in the test setup I was just connecting 2 test computers. It's running WS2012R2, don't really remember the specs for both machines right now, will tell you once I'm back at work tomorrow.

 

17 hours ago, leadeater said:

Why is 127.0.0.1 set as a DNS server address on your pfsense? If it's not running any DNS server or relaying services this will cause timeouts for address lookup before failing through to the next DNS server on the list.

 

14 hours ago, .:MARK:. said:

Well if you're running your own DNS with AD, why would you set your DNS servers to Google?

For what I've read in the web, that is for any name resolution that couldn't be resolved on Windows DNS Server, it could be forwarded to the external DNS servers to which I'm using Google's because that is what I've used for years hehehe, if there is any better external DNS I would appreciate the info so I can change it. I see that my problem is the DNS configuration judging from both of your answers, I will need to look up more information about configuring DNS then. PfSense automatically set up the 127.0.0.1 IP in the primary DNS, I think that is because I have DNS Rebinding Check enabled, not sure about that. 

 

In summary, my tasks for today, read more about DNS since it appears that I'm a total noob, and tomorrow, reconfigure the DNS configuration in the PfSense box so that it doesn't points to localhost neither to Google Servers from your suggestions.

 

Can anyone give me suggested sites for reading about this topic, I need a little bit of guidance.

 

Thanks.

[leadeater]

7 minutes ago, kngzeng said:

Nah, I dont think it's lacking resources, in the test setup I was just connecting 2 test computers. It's running WS2012R2, don't really remember the specs for both machines right now, will tell you once I'm back at work tomorrow.

 

 

For what I've read in the web, that is for any name resolution that couldn't be resolved on Windows DNS Server, it could be forwarded to the external DNS servers to which I'm using Google's because that is what I've used for years hehehe, if there is any better external DNS I would appreciate the info so I can change it. I see that my problem is the DNS configuration judging from both of your answers, I will need to look up more information about configuring DNS then. PfSense automatically set up the 127.0.0.1 IP in the primary DNS, I think that is because I have DNS Rebinding Check enabled, not sure about that. 

 

In summary, my tasks for today, read more about DNS since it appears that I'm a total noob, and tomorrow, reconfigure the DNS configuration in the PfSense box so that it doesn't points to localhost neither to Google Servers from your suggestions.

 

Can anyone give me suggested sites for reading about this topic, I need a little bit of guidance.

 

Thanks.

You would set your DNS address for the pfsense server to your AD DNS servers only, you setup forwarders on the AD DNS servers to your ISP's DNS servers. Right now your pfsense server does not look up any addresses to your AD DNS servers.

[kngzeng]

3 minutes ago, leadeater said:

You would set your DNS address for the pfsense server to your AD DNS servers only, you setup forwarders on the AD DNS servers to your ISP's DNS servers. Right now your pfsense server does not look up any addresses to your AD DNS servers.

Ohhh, I see, then in that case, I will reconfigure the PfSense server DNS to point to the AD DNS; in my case, the ISP doesn't provide us with the IP for their DNS Servers, that's why I'm relying on an External DNS server.

[leadeater]

2 minutes ago, kngzeng said:

Ohhh, I see, then in that case, I will reconfigure the PfSense server DNS to point to the AD DNS; in my case, the ISP doesn't provide us with the IP for their DNS Servers, that's why I'm relying on an External DNS server.

Should be able to get the DNS details off your modem when it connects, check the connection details when you login to admin page of the modem.

[kngzeng]

1 minute ago, leadeater said:

Should be able to get the DNS details off your modem when it connects, check the connection details when you login to admin page of the modem.

Ok, I will try get the info. We have two main ISP's in our country, neither of those give us the info to log in to the admin page of the modem. they provided us with an Arris CM20 modem. Is there any information about the login account for that modem on the web? I'm able to access to the login page for the modem, but can't get in because I dont have the account info.

[kngzeng]

21 hours ago, leadeater said:

Should be able to get the DNS details off your modem when it connects, check the connection details when you login to admin page of the modem.

Well, it appears that our ISP also uses Gooogle's DNS Servers, I left the DNS configuration in blank on the PfSense box and I had the option that it would retrieve DNS information from the ISP, and guess what, it was configured with 8.8.8.8 and 8.8.4.4.

 

Now the DNS is configured with

 

127.0.0.1

8.8.8.8

8.8.4.4

10.0.1.5

 

I'm still not sure why the 127.0.0.1, and I will delete both 8.8.8.8 and 8.8.4.4, so only 10.0.1.5 will be configured.