RouterOS as core network router blocking AD authentication?

ByronH · June 26, 2014, 4:20pm

Good day,

I am attempting to use a CCR1009-8G-1S-1S+ as a core network router to provide basic routing between multiple internal subnets, however while IP routing seems to be working fine via ping tests, I’m having trouble accessing domain resources such as file shares etc due to a possible active directory authentication problem.

I’d like to determine whether RouterOS with default configuration may be filtering any routed packets, or whether additional configuration may be required to correctly pass all required packets to support domain authentication/security protocols.

Any assistance will be appreciated.

SurferTim · June 26, 2014, 5:49pm

If you can ping the AD server, then the Active Directory problems are normally a Windows firewall issue. Insure you are allowing the correct ports through the AD server firewall. Do a Google search for Active Directory firewall ports.

5nik · June 26, 2014, 6:05pm

If you have Windows firewall, be sure that you have correctly allowed necessary firewall rules. Networks behind router Windows classifies as public network (it is not same subnet as server) and system applies another firewall rules (for public networks).
Did you check this?

ByronH · June 26, 2014, 8:03pm

How would one verify that the router is not blocking/dropping packets to port 445 for SMB share access (or any other protocols)?

SurferTim · June 27, 2014, 11:43am

Look in “/ip firewall filter”.

5nik · June 28, 2014, 5:56pm

You can use packet sniffer in Mikrotik. Capture packets on all interfaces, and if you see same packet (same dst+src IP and port) received on “in” interface and transmitted from “out” interface - router accepts this traffic.

AlexS · June 29, 2014, 10:13am

Hi

Have you just added a new network to your windows domain, have you set it up as part of a site.

You might be running foul of windows thinking the new ip network is actually public network and not allowing full SMB access.

ByronH · June 30, 2014, 7:38am

Thanks for the feedback so far, will take a look at both suggestions. Been looking at /ip firewall connections and couldn’t spot any issues there.

Interesting question; I’ve added and associated an additional subnet to the primary site. As it is a well connected network (local routed 1Gbps) it doesn’t require a separate site; DHCP relay takes care of IP address allocation and DNS is provided by the DC in primary network (primary site). I’ve also added the routed subnet to Forefront TMG “internal” network and configured the appropriate persistent static route, so everything should be shiny, except it seems I’ve either missed something or the Cloud Router is throwing a wrench in the works. I’m considering using a different router to determine whether the latter is the case.