Rebuilding my pfSense and Univention homelab network layout

I am working on planning out the rebuild of my home network. I’m not worried about physical infrastructure at the moment since I need to save up for hardware and cabling. In the meantime I want to make sure the logical layout is solid. Right now I have

  • a pfSense firewall handling routing and OpenVPN access;
  • a Pi-hole container handling adblock which is also the highest-authority DNS server in the network
  • a pair of Univention Corporate Servers handling Active Directory and DHCP which serve as the DNS servers for client machines on the network to simplify communication between Active Directory clients
  • an Nginx Proxy Manager container handling proxying to various services on the network like my media server, Vaultwarden, etc.

This setup amalgamated over the course of several years and I would like to rebuild it to get rid of some of the tangles. I’m envisioning the new network layout as

  • a pfSense firewall that handles routing, DNS, DHCP, and proxying
  • a pair of UCS instances that still handle Active Directory and mirror DHCP/DNS information from the pfSense firewall

My hope is to eliminate the two containers that handle proxying and DNS. I think that Tom’s new guide on Haproxy is going to be very useful, but I’d appreciate some guidance on configuring DNS and DHCP mirroring correctly. I used to have my network configured so that the firewall handled DNS and DHCP but switched to the UCS domain controllers handling it because I had too many issues with resolving internal hostnames. It has been difficult to find good pre-existing resources so any recommendations or advice is appreciated.

If you are looking for ad blocking or use other blocking lists then you can use pfblockerng on pfsense. Then, since you are using Active Directory all of your devices need to use Active Directory DNS.

If it were me I’d setup pfblockerng and then setup DNS on your Active Directory to forward queries to your pfsense. I would also recommend using the python version so it will have better performance and lower resources.

1 Like

You domain controller needs to be the dns server for the domain, this is requirement for active directory.

On the dns server forward you dns request to pfsense

Routing all your DNS through the controller works, but you lose some control and add an extra hop in the mix. You could just redirect your AD subdomain DNS traffic to the DC instead. I believe this would be in the “domain overrides” section of pfsense.

Keep in mind, if you do have those services running in containers you have some nice benefits you will lose if you run everything on the FW host. Security & flexibility being the two big benefits you lose. Stacking everything on the FW host is certainly easy, but has some draw backs.

1 Like

I’ve successfully migrated from piHole to pfBlockerNG, so the client devices use the domain controllers as their DNS servers, which then forward requests to the firewall. However, I am not getting any logging or reporting through the pfBlockerNG panel, even though I have confirmed that it’s working. A while ago there were issues with reporting, but based on what I have seen the bug was resolved. Anyone have suggestions on fixing reporting? I haven’t touched DHCP assignment yet, and I think I would rather work on Haproxy first after this is done.

Would these two options allow pfSense to handle DHCP assignment while passing along that information to the domain controllers? UCS is good at a lot of things, but DHCP is surprisingly primitive so it would be nice to hand this back to the firewall if I could make sure those addresses are known to the domain controllers.