pfSense VPN gateway in a windows domain with single subnet

[Visentinel 12]

---

---

---

---

Guide: How to setup a pfSense VPN Gateway

In a Windows Domain Network

Also using a single subnet for the LAN

(WAN uses a different subnet just for pfSense-router comms)

---

---

---

---

 

 

This Guide will allow you to have devices on the AirVPN or Normal internet while maintaining a single lan subnet and windows domain.

 

Prerequisites:

• 1. You must have a sound understanding of configuring windows server 2008/2012 DNS and DHCP Roles.
• 2. Your Router (ADSL Modem, Cable Modem etc..) must be able to live on 2 IP's, the reason is that we want to use the modem as usual for normal internet and the Alias is the upstream gateway in pfSense as we cannot or should not attempt to have the pfSense LAN and WAN interfaces on the same sub-net. (For example Billion ADSL Modems can have a LAN IP and an Alias IP configured)
• 3. If you have an exchange server installed on your domain controller firstly Shame on You! that's seriously bad practice and secondly when you set your DC to gateway via the pfSense issues will occur with exchange. You should still be able to send email but receiving it can be a problem as incoming connections from one gateway hit a server that has its default gateway set to a different gateway.

---

---

Step1 - Configure pfSense

---

---

 

 

My step 1 is to actually configure pfSense first, no need to reinvent the wheel here so follow pfSense_fan's guide to configure the AIRVPN setup in pfSense

(Hope you don't mind pfSense_fan !)

 

Tho not compulsory it is best practice to use windows DHCP in a windows domain environment, for the purposes of this guide i will assume that you are.

 

Now would also be a good time to configure your routers alias IP, for example give it 192.168.1.254, then your router serves as a gateway on for example 192.168.0.254 and the alias.

 

Follow this guide for steps 1 through 5, then use alternate steps 6 and 7 for 2 nics.

 

During the guide change the following instructions

1. During pfsense installation say no to VLANS and assign em1 to WAN and em0 to LAN

2. now select menu item 2 and change interface IP address's, assign your desired LAN interface IP then say no to enable DHCP and then repeat this step for WAN, remember to specify your routers alias IP as gateway on the WAN interface.

During the guide skip the steps to configure LAN, in the WAN interface uncheck to block local private and bogon and finally skip the steps to configure DHCP.

 

Example

 

WAN (wan) -> em1 -> v4: 192.168.1.253/24

LAN (lan) -> em0 -> v4: 192.168.0.137/24

 

Proceed to pfSense_fan's guide

 

https://airvpn.org/pfsense/

 

---

---

Step2 - Testing and windows server DNS

---

---

 

 

Welcome Back!

 

Ok its time to test your new pfSense gateway. change the network IPv4 settings on a computer to static IP, configure it so you use the pfSense LAN address as gateway and DNS server 10.4.0.1 then run your browser and navigate to ipleak.net to make sure your IP and DNS IP are of AirVPN. Change the computer back to DHCP.

 

Logon to your windows server and do the following

1. change the default gateway of the server NIC to the pfSense LAN address

2. make sure the DNS server configured in the NIC are ONLY 127.0.0.1 or the IP of the server itself

 

Open the DNS management tool

1. Configure windows DNS server so that the only DNS forwarder is 10.4.0.1

2. untick "Use Root Hints if no forwarders are available"

3. Click Apply / OK

 

Step3 - DHCP

 

Open the DHCP management tool and Check to ensure that the only DNS server IP's in the scope options is that of your windows DC.

Now here is a multiple choice, you can either set DHCP scope option "Router" to point to the standard router or the pfSense router. It depends because do you want all traffic to use the VPN by default or the normal net by default ?

 

Then to decide if a device is to use the other instead of the default assign that device a reservation and set that reservations router option to the other gateway.

Finally it doesn't matter if a device uses normal or VPN "ALL" DNS queries flow through the VPN.

I haven't had any issues at all with this personally and it has to be this way because all computers joined to the domain must use the DC DNS.

 

Thats it CONGRATULATIONS!

Formatting by pfSense_fan

---

---

---

---

 

[Visentinel 12]

Reserved for tweaks / comments