AWS with pfSense Part 4: Running a domain controller in AWS with pfSense

Running a domain controller in AWS with pfSense was one of the main goals I had for this whole project. It took a fair bit of research to get everything up and running but I eventually figured it out with the help of the forum (thanks, guys!).

This tutorial assumes you are using the pfSense DNS Resolver.

If you followed the previous tutorial, you are set up to the point where we established a successful site to site VPN tunnel between our AWS VPC and the pfSense firewall inside our company network. Now I will not show you how you set up a domain controller as an EC2 instance, there are plenty of tutorials out there (If you want that I cover it let me know in the comments tho.)

I assume you know how to promote a Windows Server 2016 to a domain controller.

So why an extra tutorial on that? Because we somehow need to forward DNS requests to our domain controller, so our clients can talk to the domain controller and to each other.

pfSense will still handle all outgoing DNS requests pointed towards the internet, we will set pfSense up to only override DNS requests pointed towards to our domain.

If you try to add a client to your domain, you will not be able to do so because pfSense doesn’t  have a DNS entry for your domain.

Let us go through the steps real quick.


Part 1 Setting up a Domain Override in pfSense

1.1 Setting up a Domain Override in pfSense

- Open your pfSense Web Interface and navigate to: Services / DNS Resolver / General Settings and scroll all the way to the bottom
- Click on +Add under Domain Overrides


1.2 Setting up a Domain Override in pfSense

- 1 Check if you are on Services / DNS Resolver / General Settings / Edit Domain Override
- 2 Enter the name of your Domain
- 3 Enter the IP Address of your Domain Controller
- 4 Enter a description
- Click on Save
- Click on Apply Changes


1.3 Setting up a Domain Override in pfSense

- Scroll down all the way to the bottom and check if the Domain Override was applied correctly


Now comes the part that caused me a little headache to figure out, but thanks to the pfSense forum again, I was able to find a solution. This problem seems to be around for many years but gladly there is a workaround for that.

You need to change your Outgoing Network Interfaces on the DNS Resolver from ALL to LAN + Localhost.


Part 2 Applying the workaround

2.1 Applying the workaround

- Navigate to Services / DNS Resolver / General Settings
- Find Outgoing Network Interfaces
- Mark ONLY LAN and Localhost
- Scroll down and click on Save
- Click on Apply Changes


And that’s it! Now you should be able to join your domain with a computer inside of your local network. If you have any suggestions leave them below in the comment. I will also make a video on this soon.


7 thoughts on “AWS with pfSense Part 4: Running a domain controller in AWS with pfSense

  • May 3, 2017 at 6:16 pm

    i see some devices given at the bottom as “related products” to this pfSense article. Are those devices certified or tested on pfsense?

    • May 3, 2017 at 7:02 pm

      Hi Muneeb,

      I am not sure if they are certified but certainly proved themselves worthy recommending. Few professional colleagues are using them in the US. Thing is, I am located in Germany and for private use, I use a PC Engines APU.1D4 and in our corporate environment, I use a Lanner FW-7525. Both of them are excellent products, unfortunately not available on the US Amazon, hence I recommended those available.

      Hope this helps.

    • May 3, 2017 at 11:27 pm

      Yea, very decent appliances. Would love to review some of their stuff if they get in touch.

  • Pingback:Customize Windows 10 Start Layout with Group Policy -

  • September 5, 2017 at 11:02 pm

    Hi, You have some really great articles. Thank you for taking the time/effort to post these for everyone to benefit from.

    I have a question that I was wondering if you saw any obvious explanations to why a device on the network can not access anything beyond the pfSense (internal/private) network address. From 192.* I can’t hit the Windows Server Instance nor can it hit anything on the 192.* network. The 192.* network can hit both NICs on pfSense. The Windows Server Instance can hit both NICs on pfSense as well.

    Any suggestions would be appreciated!!!!

    • September 6, 2017 at 10:10 am

      Thanks. Appreciate it. That’s hard to say with so little information. Did you check all the obvious things like your NACL, Routing Table and so on?


Leave a Reply