[pfSense Support] Microsoft Server 2008 DHCP relay
We have a couple of pfSense installations that want to 'lock down' their windows workstations with Win 2K8 Server and Active Directory. As you may know, normally this requires that Win Server be the DNS DHCP server. To clarify, we're NOT talking about MS Small Business Server/exchange and all of that crap--just 'regular' 2K8, with AD for lockdown/policy etc. Can anyone say from experience whether it's 'within scope' to keep pfSense as the DHCP/DNS? In other words, is it feasible to have 2K8 server turn to pfSense via something like DHCP relay? Never played with DHCP relay. Before sinking money into another server, licenses etc, I'm hoping someone can at least say yes, it works, I've tried it--it's solid so that we don't find ourselves half-way through realizing the we REALLY DO have to re-tool perfectly solid tested parts of our network just because the Microsoft tentacles want to touch be in control of everything. As I see it, I don't mind if Microsoft 2K8 server runs the Windows parts of the network but not the whole network. Has anyone actually tried this? Thanks in advance! -Karl - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Microsoft Server 2008 DHCP relay
You don't need DHCP relay. Just use the pfsense's DHCP and set a domain authoritative to the DC (for DNS). A number of my remote offices that don't have DC are working like that (although only my office is using pfsense and others are using SonicWall). One different though, my is Windows 2003 R2 AD; not Windows 2008. -Raylund -Original Message- From: Karl Fife [mailto:karlf...@gmail.com] Sent: Saturday, April 17, 2010 2:17 PM To: support@pfsense.com Subject: [pfSense Support] Microsoft Server 2008 DHCP relay We have a couple of pfSense installations that want to 'lock down' their windows workstations with Win 2K8 Server and Active Directory. As you may know, normally this requires that Win Server be the DNS DHCP server. To clarify, we're NOT talking about MS Small Business Server/exchange and all of that crap--just 'regular' 2K8, with AD for lockdown/policy etc. Can anyone say from experience whether it's 'within scope' to keep pfSense as the DHCP/DNS? In other words, is it feasible to have 2K8 server turn to pfSense via something like DHCP relay? Never played with DHCP relay. Before sinking money into another server, licenses etc, I'm hoping someone can at least say yes, it works, I've tried it--it's solid so that we don't find ourselves half-way through realizing the we REALLY DO have to re-tool perfectly solid tested parts of our network just because the Microsoft tentacles want to touch be in control of everything. As I see it, I don't mind if Microsoft 2K8 server runs the Windows parts of the network but not the whole network. Has anyone actually tried this? Thanks in advance! -Karl - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 / Motorola SB6120 / Comcast = No DHCP ?
Did you power-cycle the modem? db On 4/17/10, Jeppe Øland jol...@gmail.com wrote: Hi there, Hopefully somebody can help me with how to diagnose this problem. I recently switched to Comcast, and I have been running great with them for a few weeks. They supplied me with a Ubee cablemodem, and last week I bought a Motorola SB6120 to replace it. Shouldn't have done that! The modem itself seems to work fine ... if I plug my Windows PC straight into it, it gets an address via DHCP and everything is fine. If I plug pfSense into it however, it never gets an address (it tries the cached one which is no good with Comcast), and the interface goes up and down every so often ... presumably because of the pinger script. Comcast, unsurprisingly, are not helpful :-( The hardware I'm running pfSense on is one of the new SuperMicro X7SPA-H boards. It worked great with the Ubee modem. The pfSense I am currently running on it is: pfSense-2.0-BETA1-20100407-1435 In the system log I see this: Apr 17 14:19:14 firewall kernel: em1: link state changed to UP Apr 17 14:19:15 firewall dhclient: netstat Apr 17 14:19:15 firewall dhclient: PREINIT Apr 17 14:19:15 firewall dhclient[25679]: DHCPREQUEST on em1 to 255.255.255.255 port 67 Apr 17 14:19:16 firewall dhclient[25679]: DHCPREQUEST on em1 to 255.255.255.255 port 67 Apr 17 14:19:18 firewall dhclient[25679]: DHCPREQUEST on em1 to 255.255.255.255 port 67 Apr 17 14:19:22 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 1 Apr 17 14:19:22 firewall check_reload_status: rc.linkup starting Apr 17 14:19:26 firewall last message repeated 4 times Apr 17 14:19:27 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 2 Apr 17 14:19:35 firewall last message repeated 4 times Apr 17 14:19:37 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 5 Apr 17 14:19:42 firewall sshd[50919]: Accepted keyboard-interactive/pam for root from 10.10.10.10 port 52603 ssh2 Apr 17 14:19:42 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 9 Apr 17 14:19:51 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 14 Apr 17 14:20:05 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 8 Apr 17 14:20:13 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 8 Apr 17 14:20:21 firewall dhclient[25679]: DHCPDISCOVER on em1 to 255.255.255.255 port 67 interval 2 Apr 17 14:20:23 firewall dhclient[25679]: No DHCPOFFERS received. Apr 17 14:20:24 firewall dhclient[25679]: Trying recorded lease 24.5.66.120 Apr 17 14:20:24 firewall dhclient: netstat Apr 17 14:20:24 firewall dhclient: TIMEOUT Apr 17 14:20:24 firewall dhclient: Starting add_new_address() Apr 17 14:20:24 firewall dhclient: ifconfig em1 inet 24.5.66.120 netmask 255.255.248.0 broadcast 255.255.255.255 Apr 17 14:20:24 firewall dhclient: New IP Address (em1): 24.5.66.120 Apr 17 14:20:24 firewall dhclient: New Subnet Mask (em1): 255.255.248.0 Apr 17 14:20:24 firewall dhclient: New Broadcast Address (em1): 255.255.255.255 Apr 17 14:20:24 firewall dhclient: New Routers (em1): 24.5.64.1 Apr 17 14:20:26 firewall dhclient: New Routers (em1): 24.5.64.1 Apr 17 14:20:26 firewall dhclient: Deleting old routes Apr 17 14:20:26 firewall dhclient[25679]: bound: renewal in 107084 seconds. Apr 17 14:20:27 firewall check_reload_status: rc.newwanip starting Apr 17 14:20:28 firewall php: : rc.newwanip: Informational is starting . Apr 17 14:20:28 firewall php: : rc.newwanip: on (IP address: ) (interface: wan) (real interface: em1). Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: Running updatedns() Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: updatedns() starting Apr 17 14:20:28 firewall php: /interfaces.php: There was an error trying to determine the IP for interface - wan(em1). Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: _detectChange() starting. Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: _checkIP() starting. Apr 17 14:20:28 firewall php: /interfaces.php: DynDns debug information: extracted from local system. Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: Current WAN IP: Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: Cached IP: 24.5.66.120 Apr 17 14:20:28 firewall php: /interfaces.php: DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: 24.5.66.120 WAN IP: Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: DynDns _update() starting. Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: DynDns _update() starting. Dynamic Apr 17 14:20:28 firewall php: /interfaces.php: Curl error occurred: Couldn't resolve host 'members.dyndns.org' Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: DynDns _checkStatus() starting. Apr 17 14:20:28 firewall php: /interfaces.php: DynDns: Current Service: dyndns Apr 17
Re: [pfSense Support] pfSense 2.0 / Motorola SB6120 / Comcast = No DHCP ?
On Sat, Apr 17, 2010 at 6:07 PM, Jeppe Øland jol...@gmail.com wrote: Hi there, Hopefully somebody can help me with how to diagnose this problem. I recently switched to Comcast, and I have been running great with them for a few weeks. They supplied me with a Ubee cablemodem, and last week I bought a Motorola SB6120 to replace it. Shouldn't have done that! The modem itself seems to work fine ... if I plug my Windows PC straight into it, it gets an address via DHCP and everything is fine. If I plug pfSense into it however, it never gets an address You'll need to power cycle your modem between changing devices, most ISPs lock you to one MAC address on the modem and the previous one won't be cleared out until you power cycle it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 / Motorola SB6120 / Comcast = No DHCP ?
Yep I went through all that ... multiple times. Comcast techsuppot also reset the lock, but the pfSense box never managed to get an IP. On Apr 17, 2010 3:11 PM, Chris Buechler cbuech...@gmail.com wrote: On Sat, Apr 17, 2010 at 6:07 PM, Jeppe Øland jol...@gmail.com wrote: Hi there, Hopefully som... You'll need to power cycle your modem between changing devices, most ISPs lock you to one MAC address on the modem and the previous one won't be cleared out until you power cycle it. - To unsubscribe, e-mail: suppo...
Re: [pfSense Support] Microsoft Server 2008 DHCP relay
On 4/17/2010 2:17 PM, Karl Fife wrote: [...]As I see it, I don't mind if Microsoft 2K8 server runs the Windows parts of the network but not the whole network. Has anyone actually tried this? Thanks in advance! I haven't tried the DHCP parts, but I have set one up for DNS thusly: Pass the DHCP clients the AD server for DNS -- and ONLY the AD server, and then on the AD server, in the DNS server setup, setup a single forwarder: your pfSense box's LAN IP (or whatever interface it's using) That way your DNS setup in pfSense, including any overrides and such that you have set, will still be used, and 2k8 is still happily doing DNS for whatever it needs. At that site the DHCP was very vanilla so I had no problem letting AD take that over. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 / Motorola SB6120 / Comcast = No DHCP ?
On Sat, Apr 17, 2010 at 6:21 PM, Jeppe Øland jol...@gmail.com wrote: Yep I went through all that ... multiple times. Comcast techsuppot also reset the lock, but the pfSense box never managed to get an IP. Get a packet capture on your WAN while it's attempting. Based on the log it looks like you're sending the request and getting no response from their DHCP server. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 / Motorola SB6120 / Comcast = No DHCP ?
On Sat, Apr 17, 2010 at 5:54 PM, Chris Buechler cbuech...@gmail.com wrote: On Sat, Apr 17, 2010 at 6:21 PM, Jeppe Øland jol...@gmail.com wrote: Yep I went through all that ... multiple times. Comcast techsuppot also reset the lock, but the pfSense box never managed to get an IP. Get a packet capture on your WAN while it's attempting. Based on the log it looks like you're sending the request and getting no response from their DHCP server. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Have you used the Copy my MAC address option under the WAN interface? It works for me to use my laptop's MAC... Hope it helps. Cya. -- Linux User #452368 http://twitter.com/vpadro Everything that irritates us about others can lead us to an understanding of ourselves - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 / Motorola SB6120 / Comcast = No DHCP ?
Did you clone the MAC to overcome the modem locking, or was your problem like mine - being completely unable to get an address from pfSense after rebooting everything? I could switch between 2 different Windows PCs after rebooting the modem, so it's not the MAC locking causing it. On Apr 17, 2010 4:38 PM, Victor Padro vpa...@gmail.com wrote: On Sat, Apr 17, 2010 at 5:54 PM, Chris Buechler cbuech...@gmail.com wrote: On Sat, Apr 17, 2010 ... Have you used the Copy my MAC address option under the WAN interface? It works for me to use my laptop's MAC... Hope it helps. Cya. -- Linux User #452368 http://twitter.com/vpadro Everything that irritates us about others can lead us to an understanding of ourselves - To unsubscribe, e-mail: suppo...
Re: [pfSense Support] pfSense 2.0 / Motorola SB6120 / Comcast = No DHCP ?
On Sat, Apr 17, 2010 at 6:52 PM, Jeppe Øland jol...@gmail.com wrote: Did you clone the MAC to overcome the modem locking, or was your problem like mine - being completely unable to get an address from pfSense after rebooting everything? I could switch between 2 different Windows PCs after rebooting the modem, so it's not the MAC locking causing it. On Apr 17, 2010 4:38 PM, Victor Padro vpa...@gmail.com wrote: On Sat, Apr 17, 2010 at 5:54 PM, Chris Buechler cbuech...@gmail.com wrote: On Sat, Apr 17, 2010 ... Have you used the Copy my MAC address option under the WAN interface? It works for me to use my laptop's MAC... Hope it helps. Cya. -- Linux User #452368 http://twitter.com/vpadro Everything that irritates us about others can lead us to an understanding of ourselves - To unsubscribe, e-mail: suppo... The problem was just like yours, Pfsense wasn't adquiring an IP, until I clone my Laptop's MAC... -- Linux User #452368 http://twitter.com/vpadro Everything that irritates us about others can lead us to an understanding of ourselves - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft Server 2008 DHCP relay
On Sat, Apr 17, 2010 at 2:17 PM, Karl Fife karlf...@gmail.com wrote: We have a couple of pfSense installations that want to 'lock down' their windows workstations with Win 2K8 Server and Active Directory. As you may know, normally this requires that Win Server be the DNS DHCP server. To clarify, we're NOT talking about MS Small Business Server/exchange and all of that crap--just 'regular' 2K8, with AD for lockdown/policy etc. Can anyone say from experience whether it's 'within scope' to keep pfSense as the DHCP/DNS? In other words, is it feasible to have 2K8 server turn to pfSense via something like DHCP relay? Never played with DHCP relay. We disabled DHCP and DNS in pfSense and do both from Active Directory. We have not had any trouble with this setup.
[pfSense Support] Snort 2.8.5.3 setup help
Upgrade from the older snort to the new version available running on pfsense 1.2.3. It seems like snort is not giving alerts like the old version did. Not sure if I have it set up right or its just not made for this version of pfsense. I checked emerging scans then ran nmap against the wan port and nothing showed up in alerts. Any suggestions on best practices would be appreciated Paul