So in my small office, I have my network topology is setup like this:
I have internet connection coming from my ISP which connects to one of the NICs (Network Interface Card) for WAN on my pfSense box.
The pfSense box (which runs the latest version 2.4.5-p1) acts as my router for the whole network infrastructure and sits in the middle of the network topology. From one other NIC from the pfSense box connects to the LAN behind it. The LAN contains 3 Cisco SG 350-52P switches which connects various devices including windows servers, PCs, mobile phones, tablets. It also powers 3 Ubiquiti Unifi AC LR devices which sets up a wireless connectivity for the LAN.
On the pfSense box has been configured three extra VLans and also have these VLans set up on the Cisco managed switches as well, however the switches are configured not to do the routing L3.
The main LAN has IP configured 192.168.120.xxx and this has the servers, switches and IT computers connected to it and has the default Vlan id 1 set to it.
VLan id 20 (staffLan) has IP configured 192.168.20.xxx and this has office PCs connected to it. These devices must be able to reach the windows servers on the main Lan for DNS for Active Directory administration services, File Server and Printer services in the Windows Environment.
VLan id 30 (mobileLan) has IP configured 10.10.30.xxx and this for personal mobile devices and must not be able to reach main Lan and staffLan
VLan id 40 (cameraLan) has IP configured 10.10.40.xxx and this for network cameras and must also not be able to reach main Lan and staffLan.
However the main Lan and staffLan must be able to reach the cameraLan for administration of the cameras. The staffLan must also not be able to reach the mobileLan for security purposes.
This above configuration is working perfectly across the devices that are connected to the managed switches and Unifi AP since the pfSense box is doing the routing and dhcp.
Now coming to my challenge is with the introduction of Windows Active Direcotry and pfSense pfblockerNG-devel package:
-
pfSense has a section where you are to specify a domain eg. example.localdomain. Should I specify that to be the same of the Windows Server Active Directory DNS ?
-
All windows servers, IT computers on the main Lan and the office PCs on the staffLan must be able to reach or contact the Windows Domain Controller 192.168.120.3 for Domain services, Active Directory, Print and File Services. I have set that at the Lan and staffLan DCHCP Server DNS 1 settings on the pfSense box. Is that the right way because I need to be able to reset windows logon passwords of staff or office users ?
-
In the same regard I have also setup pfblockerNG-devel for domain level blocking for web filtering and other IP blocking. Since both works with DNS how do I set it up so that I achieve point 2 and 3 at the same time ? I have seen @LTS_Tom video tutorial setting up a firewall rule that ensures that all connected PCs take DNS from the pfSense in order to to force them to go through the pfblockerNG-devel.
-
I want a section of the users on the main Lan and staffLan to be able to reach Windows Active Directory for logon services and not go through the pfblockerNG-devel at all,
another section of the users on the main Lan and staffLan to be able to reach Windows Active Directory for logon services and go through the pfblockerNG-devel
and the last section of the users on the main Lan and staffLan to be able to reach Windows Active Directory for logon services and go through the pfblockerNG-devel but the filtering of websites to be managed so that the sites that the section above is blocked the later can visit.