Re: [pfSense Support] DHCP question - OpenDNS or dnsmasq
Because OpenDNS does their filtering based on the source IP address, you would have to have eat LAN have its own outgoing IP(s) using Outbound NAT rules. You can turn off the pfSense DNS altogether and just set the server to forward all requests it cannot resolve directly to OpenDNS. -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Sun, Apr 18, 2010 at 1:24 PM, Tim Dressel tjdres...@gmail.com wrote: Hi folks, Someone else just asked a question that I responded to, but it actually triggered a question in my head and rather than highjack the thread I thought I'd start a new one. If you use OpenDNS to filter content, it works pretty seamlessly. Lets say that you have 4 LAN connections on different subnets, and a single WAN connection. How can you use pfSense DHCP to enable different DNS level filtering using OpenDNS? What I'm after is LAN1 to have no OpenDNS filtering, LAN2 to have filtering based upon one OpenDNS rule set, LAN3 to have different filtering from LAN 2, and LAN 4 to have different filtering again. I don't think this is possible with OpenDNS. Is there where dnsmasq comes into play? Then to complicate it a bit, I'd prefer to not use pfSense DHCP, but to use Windows AD integrated DNS, but use the pfsense server almost like a root hint or bypass server. Thanks in advance for your feedback... Tim
Re: [pfSense Support] DHCP question - OpenDNS or dnsmasq
Because OpenDNS does their filtering based on the source IP address, you would have to have eat LAN have its own outgoing IP(s) using Outbound NAT rules. I've never actually done outbound NAT. So lets say I've got multiple IP addresses bound as virtual IP's onto the physical WAN interface. I can create an outbound NAT rule that depending on the source subnet scope I can have the individual traffic appear to come out a particular virtual IP? Is that correct? But if I'm using AD integrated DNS, would I just remove all root-hints and forwarders? So then anything AD DNS could not resolve would got to OpenDNS? But would the request still come from the client or from the internal AD DNS? I'm thinking I would have to setup DHCP to hand out three or four DNS servers then. My two internal DNS servers, and then the two OpenDNS servers at the bottom. Is anyone doing this, and what is timeout like? I.E. How long does it take for the internal DNS servers to respond that they can't find the internet resource, and for OpenDNS to respond in the tertiary and quaternary DNS slots. Doesn't this create a ton of DNS traffic traversing the firewall? Or am I missing something simple here?
Re: [pfSense Support] DHCP question - OpenDNS or dnsmasq
On Sun, Apr 18, 2010 at 2:06 PM, Tim Dressel tjdres...@gmail.com wrote: Because OpenDNS does their filtering based on the source IP address, you would have to have eat LAN have its own outgoing IP(s) using Outbound NAT rules. I've never actually done outbound NAT. So lets say I've got multiple IP addresses bound as virtual IP's onto the physical WAN interface. I can create an outbound NAT rule that depending on the source subnet scope I can have the individual traffic appear to come out a particular virtual IP? Is that correct? Yes. But if I'm using AD integrated DNS, would I just remove all root-hints and forwarders? So then anything AD DNS could not resolve would got to OpenDNS? You would set AD-DNS to use forwarders 208.67.222.222 and 208.67.220.220 and you would set your computers to use your server as their DNS server. Anything that your server cannot resolve would be passed to OpenDNS. *Scratch that. See below.* But would the request still come from the client or from the internal AD DNS? Do you mean Would OpenDNS see it as coming from the client or from the server? That's a good point and now that I think about it, I'm not sure. What you are saying below about using four DNS servers would probably work instead of using forwarders in AD-DNS. In that case, yes you would remove the forwarders and root hints. I'm thinking I would have to setup DHCP to hand out three or four DNS servers then. My two internal DNS servers, and then the two OpenDNS servers at the bottom. Is anyone doing this, and what is timeout like? I.E. How long does it take for the internal DNS servers to respond that they can't find the internet resource, and for OpenDNS to respond in the tertiary and quaternary DNS slots. I have never tested the timing for this method but since each computer should be caching DNS results, it probably won't be such a big deal. Best thing to do is to try it. Doesn't this create a ton of DNS traffic traversing the firewall? Why does it create any more DNS traffic than doing it any other way? Or am I missing something simple here? There's nothing simple here. ;) When I set up my pfSense with OpenDNS, 3 LANs, and 2 WANs, there was a lot of trial and error and I had the luxury of a testing network completely separate from my office network so I couldn't actually break anything. I tried a lot of things and I don't remember all of the things I tried.
Re: [pfSense Support] DHCP question - OpenDNS or dnsmasq
Doesn't this create a ton of DNS traffic traversing the firewall? Why does it create any more DNS traffic than doing it any other way? I've actually got a decent sized block of public IP's to play with, so I will get started on this later in the week. The reason I am concerned about additional DNS traffic is the additional workload of a couple of thousand devices suddenly requesting name resolution. By doing it through AD only the AD name servers do the calls to the root-hints, then they cache that for the internal network. Thanks Moshe, I'll follow up to the list to let everyone know how this worked out. I am considerably more optimistic about making this happen, and am once again amazed at how flexible pfSense is! Cheers,
Re: [pfSense Support] DHCP question
Nathan Eisenberg schreef: Any easy way of telling how many DHCP leases are used/remaining in the pool? Depends on the situation, if on a carp setup with failover it is pretty hard to do. On a single install the diag dhcp leases page is your best indication. If you set a range from 50-100, it will start counting down from 100 to 50. So if you are at 67 it will mean there is 17 unallocated addresses. Once that expires it starts re-using previous addresses with the oldest not seen first. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] DHCP Question
Well I have the default lease time set for 60 minutes and the maximum at 1 day. The server still wont release those IPs back to the pool until it goes through the whole subnet. Generally we only have about 40 users a day, which would be fine but occasionally we get around 80 90 with meetings and this would go beyond our 1:1 mappings. If we never went over 59 users Id set the range from 194-253 and call it done (and this works fine as soon as it goes through the subnet it starts back with the released IPs) But again, it feels the need to finish the subnet before going back to the retired IPs. Was just wondering if there was a way to turn up the aggressiveness of the server so that it will use the Retired IPs as soon as they are, well retired. If this cant be done its not really that big of deal, most users dont have trouble with NAT, its just a few here and there. Thanks guys, -Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Terhaar Sent: Monday, October 30, 2006 6:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] DHCP Question On 10/30/06, Tim Dickson [EMAIL PROTECTED] wrote: I have a DCHP range setup up on one of my interfaces of 192.168.1.100 253 I have 1:1 mappings on 192.168.1.194 253. I would like it to use those in the 1:1 range before going below. We are a hotel and so have a high turn around time for DHCP. I have it setup for a days release, but it still seems to go through the list before reassigning those IP's that have expired. Is there a way to turn up the aggressiveness of DHCP? I want to leave the range rather large incase we have a full house, but would like to stick with the 1:1's because It helps alleviate a lot of VPN and general connectivity issues for our guests. Any comments welcome. -Tim I'me not sure how to set it in Pfsense, but the key phrase that you're looking for here is lease time If you're generally getting hundreds of clients on the same subnet you should consider adding additional subnets to your network.
Re: [pfSense Support] DHCP Question
On 10/30/06, Tim Dickson [EMAIL PROTECTED] wrote: I have a DCHP range setup up on one of my interfaces of 192.168.1.100 – 253 I have 1:1 mappings on 192.168.1.194 – 253. I would like it to use those in the 1:1 range before going below. We are a hotel… and so have a high turn around time for DHCP. I have it setup for a days release, but it still seems to go through the list before reassigning those IP's that have expired. Is there a way to turn up the aggressiveness of DHCP? I want to leave the range rather large incase we have a full house, but would like to stick with the 1:1's because It helps alleviate a lot of VPN and general connectivity issues for our guests. Any comments welcome. -Tim I'me not sure how to set it in Pfsense, but the key phrase that you're looking for here is lease time If you're generally getting hundreds of clients on the same subnet you should consider adding additional subnets to your network.