pfSense + VLans + Windows Server Active Directory + pfblockerNG-devel

So in my small office, I have my network topology is setup like this:
I have internet connection coming from my ISP which connects to one of the NICs (Network Interface Card) for WAN on my pfSense box.
The pfSense box (which runs the latest version 2.4.5-p1) acts as my router for the whole network infrastructure and sits in the middle of the network topology. From one other NIC from the pfSense box connects to the LAN behind it. The LAN contains 3 Cisco SG 350-52P switches which connects various devices including windows servers, PCs, mobile phones, tablets. It also powers 3 Ubiquiti Unifi AC LR devices which sets up a wireless connectivity for the LAN.
On the pfSense box has been configured three extra VLans and also have these VLans set up on the Cisco managed switches as well, however the switches are configured not to do the routing L3.

The main LAN has IP configured 192.168.120.xxx and this has the servers, switches and IT computers connected to it and has the default Vlan id 1 set to it.
VLan id 20 (staffLan) has IP configured 192.168.20.xxx and this has office PCs connected to it. These devices must be able to reach the windows servers on the main Lan for DNS for Active Directory administration services, File Server and Printer services in the Windows Environment.
VLan id 30 (mobileLan) has IP configured 10.10.30.xxx and this for personal mobile devices and must not be able to reach main Lan and staffLan
VLan id 40 (cameraLan) has IP configured 10.10.40.xxx and this for network cameras and must also not be able to reach main Lan and staffLan.
However the main Lan and staffLan must be able to reach the cameraLan for administration of the cameras. The staffLan must also not be able to reach the mobileLan for security purposes.

This above configuration is working perfectly across the devices that are connected to the managed switches and Unifi AP since the pfSense box is doing the routing and dhcp.

Now coming to my challenge is with the introduction of Windows Active Direcotry and pfSense pfblockerNG-devel package:

  1. pfSense has a section where you are to specify a domain eg. example.localdomain. Should I specify that to be the same of the Windows Server Active Directory DNS ?

  2. All windows servers, IT computers on the main Lan and the office PCs on the staffLan must be able to reach or contact the Windows Domain Controller 192.168.120.3 for Domain services, Active Directory, Print and File Services. I have set that at the Lan and staffLan DCHCP Server DNS 1 settings on the pfSense box. Is that the right way because I need to be able to reset windows logon passwords of staff or office users ?

  3. In the same regard I have also setup pfblockerNG-devel for domain level blocking for web filtering and other IP blocking. Since both works with DNS how do I set it up so that I achieve point 2 and 3 at the same time ? I have seen @LTS_Tom video tutorial setting up a firewall rule that ensures that all connected PCs take DNS from the pfSense in order to to force them to go through the pfblockerNG-devel.

  4. I want a section of the users on the main Lan and staffLan to be able to reach Windows Active Directory for logon services and not go through the pfblockerNG-devel at all,
    another section of the users on the main Lan and staffLan to be able to reach Windows Active Directory for logon services and go through the pfblockerNG-devel
    and the last section of the users on the main Lan and staffLan to be able to reach Windows Active Directory for logon services and go through the pfblockerNG-devel but the filtering of websites to be managed so that the sites that the section above is blocked the later can visit.

For anything that needs to access Active Directory the AD server should be the only DNS unless you want a lot of potential issues. Just have the AD server use the pfsense for upstream DNS.

Thank you @LTS_Tom for the quick response. Sincerely, I have been following you since I bumped into your videos some 4 years back.

Don’t think you have answered my questions and doubts fully though. I need help on this.

Nonetheless I believe if I am getting you right for the mainLan and the staffLan which I want all devices on them to reach the Windows Active Directory Server, I can do the following:

  1. on the DHCP Server on pfSense box at the various interfaces, I should set the DNS IP Address to that of the AD server.
  2. From there I can setup a DNS forwarder on the AD server to upstream DNS to the pfSense in order for pfblockerNG-devel to do its part.

Hope I am right for this step Sir.

For anything that needs to access Active Directory the AD server should be also be used for DHCP. For each separate network it would be best to put in a network interface for that Windows Server so devices are talking directly to it instead of going through pfsense.

From what you are saying then how do I achieve my VLans, wireless Unifi AP connections and the dnsbl filtering with pfblockerNG-devel? I am messed up now

AD can be routed through the pfsense but it works best when you configure a separate network interface for that Windows Server so devices are talking directly to it instead of going through pfsense.

Are you saying I should have a physical network interface from the pfSense box to the Windows AD and then have a switch connect to it for other devices that need to reach it or use it rather than my description in my opening post where I have it on the native VLan with other physical windows servers and the devices that need to reach it on a separate VLan

Yeah this is doable…with a few gotcha’s.

  1. Setting the pfsense hostname to pfsense to your domain so “pfsense.mydomainname”
  2. Setting your DHCP on pfsense to point to your DC at 192.168.120.3 under Services --> DHCP Server --> LAN and make sure your DC IP is primary and set pfsense IP as secondary (in case your DC goes down and you can still have DNS resolution)
  3. Setting the DNS forwarder on your DC to point to your pfsense.
    image

That should get you rolling with pfblocking and as for blocking DNS on a specific interface for just the DNS you specified the create an alias for 53 and 853 (DNS over TLS) and name “DNSPorts” and create a rule like this

Create a similar rule but for the destination specify your DC’s IP. So 2 block rules total.

As for your last request I am not sure this is possible because all users will have to go through the DC that is then forwarded to your pfsense box so all users would be using pfblocker when all of this is set up. Then at that point you might have to use a proxy and point the hosts you are wanting to filter to the proxy (like squid) and the ones you don’t want to filter to leave them alone. The proxy isn’t bad to set up. Because this is in a business environment with a DC you can create a GPO to install a CA on all the machines and set a proxy address for all the machines you want to filter.

2 Likes