Routing and Windows Domain

nickabocker · June 4, 2016, 5:02pm

Hello everybody,

I have been lurking in the shadows for the last few months just trying to learn Mikrotik routers since i have only had experience in cisco small business. So without further ado here is my question(s)

My coworker and I have recently went though and took a flat network shared between four buildings and sub-netted them out for four networks each. These sub-nets are programmed in to a sg500 cisco at each location. From their three of the locations go to a ptp wireless link back to a OMNI directional Wireless ptp that connects into a RB1100AHx2 through connector address. After reaching the Mikrotik the system should be sending all ip traffic to our domain controller for DHCP, DNS and active directory if need be or are VOIP phone I have an EOIP setup as well for another location that also reports back to the RB1100AH to bring DHCP, DNS and Domain but no VOIP.

My question is we are having some really weird domain issues like not being able to ping host by name which is causing other domain issues on the active directory side of things. We had a Domain admin come in and take alook at things and he is thinking there is something going on in our RB1100AHx2 that is "transforming" our network some how causing our issues. He thinks it not the routing but something else. Below is our config of the RB1101AHx2 currently (hopefully i got all personal info out) can anybody tell me if they see anything strange or funny going on.

*The Mikrotik RB1100AHx2 was a preexisiting hardware that we never reset in our travels. We had a young gentelmen who said he knew Mikrotik greatly go through it and remove old network info. I have a feeling this may be part of our issue but not sure.

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level

[admin@Main] > /export

jun/04/2016 10:19:50 by RouterOS 6.35.2

software id = EJQ5-25K9

/interface bridge
add mtu=1500 name=EIOP
add mtu=1500 name=VPN
add mtu=1500 name=LAN
add mtu=1500 name=WAN protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name="ether2-Server Switch"
set [ find default-name=ether3 ] name=ether3-Downstairs-POE-Gig
set [ find default-name=ether5 ] name="ether5-AP Omni"
set [ find default-name=ether6 ] comment=WAN name="ether6-Rise Fiber"
set [ find default-name=ether9 ] name="ether9-DMS Gateway"
set [ find default-name=ether10 ] name=ether10-Allworx-WAN
set [ find default-name=ether11 ] name=ether11-Allworx-LAN
/interface eoip
add allow-fast-path=no !keepalive local-address=xx.xx.xxx.xxx mac-address=
02:8F:AD:75:AA:15 mtu=1500 name="Main to Twin" remote-address=xxx.xx.xx.xxx
tunnel-id=0
/ip neighbor discovery
set "ether6-Rise Fiber" comment=WAN
set WAN discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=TFTP value="'192.168.77.254'"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.77.40,192.168.77.253
add name=VPN ranges=172.16.0.2-172.16.0.7
add name="Subaru Voip" ranges=10.0.18.2-10.0.18.254
add name="Core Network" ranges=192.168.77.2-192.168.77.254
add name="GM Employee" ranges=10.0.8.2-10.0.8.254
add name="GM Guest" ranges=10.0.9.2-10.0.9.254
add name="GM Voip" ranges=10.0.10.2-10.0.10.254
add name="Admin Employee" ranges=10.0.12.2-10.0.12.254
add name="Admin Guest" ranges=10.0.13.2-10.0.13.254
add name="Admin Voip" ranges=10.0.14.2-10.0.14.254
add name="Subaru Employee" ranges=10.0.16.2-10.0.16.254
add name="Subaru guest" ranges=10.0.18.2-10.0.18.254
add name="Twin Employee" ranges=10.0.20.2-10.0.20.254
add name="Twin Guest" ranges=10.0.21.2-10.0.21.254
add name="Twin Voip" ranges=10.0.22.2-10.0.22.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=LAN name=dhcp1
add address-pool="Subaru Voip" interface=LAN lease-time=1d name=Subaru
add address-pool=VPN always-broadcast=yes disabled=no interface=vpn
lease-time=1d name=vpn
add address-pool="Core Network" interface=LAN lease-time=6h name="Core Network"
/ppp profile
add bridge=LAN change-tcp-mss=yes name=PPTP-Bridge
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=xx.xx.xxx.xxx name=
vpn remote-address=VPN use-compression=yes use-encryption=yes
/queue simple
add name=Subaru target=10.0.16.0/22
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=LAN interface=ether1
add bridge=LAN interface="ether2-Server Switch"
add bridge=LAN interface=ether3-Downstairs-POE-Gig
add bridge=LAN interface=ether4
add bridge=LAN interface="ether5-AP Omni"
add bridge=WAN interface="ether6-Rise Fiber"
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=WAN interface=ether10-VOIP-WAN
add bridge=LAN interface=ether11-VOIP-LAN
add bridge=LAN interface=ether12
add bridge=LAN interface=ether13
add bridge=LAN
add bridge=LAN
add bridge=LAN interface="ether9-DMS Gateway"
add bridge=EIOP interface="Main to Twin"
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=yes
/ip address
add address=xx.xx.xxx.xxx/29 interface=WAN network=xx.xx.xxx.xxx
add address=192.168.105.1/24 disabled=yes network=192.168.105.0
add address=192.168.77.1/24 interface=LAN network=192.168.77.0
add address=192.168.79.1/24 interface=LAN network=192.168.79.0
add address=172.25.2.1/24 interface=LAN network=172.25.2.0
add address=172.25.3.1/24 interface=LAN network=172.25.3.0
add address=10.0.255.1/30 comment="Subaru connector" interface=LAN network=
10.0.255.0
add address=172.16.0.1/28 interface=vpn network=172.16.0.0
add address=10.0.255.5/30 comment="Admin connector" interface=LAN network=
10.0.255.4
add address=10.0.255.9/30 comment="Main connector" interface=LAN network=
10.0.255.8
add address=10.0.255.17/30 comment="Connector for Mikrotiks" interface=EIOP
network=10.0.255.16
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid interface=LAN
/ip dhcp-relay
add dhcp-server=192.168.77.50 disabled=no interface=LAN local-address=
192.168.77.1 name=Main
/ip dhcp-server network
add address=10.0.8.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49 gateway=
10.0.8.1
add address=10.0.9.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49 gateway=
10.0.9.1
add address=10.0.10.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.10.1
add address=10.0.12.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.12.1
add address=10.0.13.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.13.1
add address=10.0.14.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.14.1
add address=10.0.16.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.16.1
add address=10.0.17.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.17.1
add address=10.0.18.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.18.1
add address=10.0.20.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.20.1
add address=10.0.21.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.21.1
add address=10.0.22.0/24 dns-server=8.8.8.8,192.168.77.50,192.168.77.49
gateway=10.0.22.1
add address=172.16.0.0/29 dns-server=8.8.8.8 gateway=172.16.0.1
add address=192.168.77.0/24 dhcp-option=TFTP dns-server=
8.8.8.8,192.168.77.50,192.168.77.49 gateway=192.168.77.1 ntp-server=
64.246.132.14,208.87.104.40
/ip dns
set servers=192.168.77.50
/ip firewall address-list
add address=10.0.0.0/8 list=PRIVATE
add address=192.168.0.0/16 list=PRIVATE
add address=172.16.0.0/12 list=PRIVATE
add address=127.0.0.0/8 list=PRIVATE
add address=224.0.0.0/4 list=PRIVATE
/ip firewall filter
add chain=forward comment="Allow Facebook for PC" disabled=yes
src-address=10.0.12.40
add chain=forward comment="Allow Facebook for PC" disabled=yes src-address=
10.0.12.16
add chain=forward comment="Allow Facebook for PC" disabled=yes src-address=
10.0.12.15
add chain=forward comment="Allow Facebook for PC" disabled=yes src-address=
10.0.12.26
add chain=forward comment="Allow Facebook for PC" disabled=yes src-address=
10.0.12.9
add action=drop chain=forward comment="Block Facebook" disabled=yes
layer7-protocol=*3 src-address=10.0.12.0/24
add action=drop chain=forward comment="Block Facebook" disabled=yes
layer7-protocol=*3 src-address=10.0.16.0/24
add action=drop chain=forward comment="Block Twitter" disabled=yes
layer7-protocol=*4 src-address=10.0.12.0/24
add action=drop chain=forward comment="Block Twitter" disabled=yes
layer7-protocol=*4 src-address=10.0.16.0/24
add action=drop chain=forward disabled=yes src-address=123.151.42.61
add action=drop chain=forward disabled=yes src-address=188.138.1.218
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" disabled=yes dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=Social src-mac-address=
00:18:FE:33:DE:1A
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for DIA" dst-address-list=
!PRIVATE out-interface=WAN
add action=masquerade chain=srcnat comment="NAT for VPN" src-address=
172.16.0.0/29
add action=masquerade chain=srcnat comment="NAT for DMS" disabled=yes
out-interface="ether9-DealerTrack Gateway"
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=WAN
protocol=tcp to-addresses=192.168.105.2 to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip proxy
set cache-path=web-proxy1
/ip route
add check-gateway=ping distance=1 gateway=xx.xx.xxx.xxx
add distance=1 dst-address=10.0.8.0/22 gateway=10.0.255.10
add distance=1 dst-address=10.0.12.0/22 gateway=10.0.255.6
add distance=1 dst-address=10.0.16.0/22 gateway=10.0.255.2
add distance=1 dst-address=10.0.20.0/22 gateway=10.0.255.18
add distance=1 dst-address=10.0.254.0/24 gateway=10.0.255.18
add check-gateway=ping comment=DMS disabled=yes distance=1 dst-address=
74.200.107.0/24 gateway=192.168.105.2
add check-gateway=ping comment=DMS disabled=yes distance=1 dst-address=
74.200.110.0/23 gateway=192.168.105.2
add check-gateway=ping comment=DMS disabled=yes distance=1 dst-address=
208.67.188.32/27 gateway=192.168.105.2
add check-gateway=ping comment=DMS disabled=yes distance=1 dst-address=
208.67.188.96/27 gateway=192.168.105.2
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=pptp-bridge password= remote-address=10.150.1.2
add name=jjones password= profile=vpn service=pptp
add name=jason password= profile=vpn service=pptp
add name=nickm password= profile=vpn service=pptp
/routing ospf network
add area=backbone network=192.168.105.0/24
/system clock
set time-zone-name=America/Denver
/system identity
set name=Main
/system ntp client
set enabled=yes primary-ntp=50.116.38.157 secondary-ntp=108.166.189.70
/system package update
set channel=release-candidate
/system script
add name="Clear ARP" owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":local du
mplist [/ip arp find]\r
\n:foreach i in=$dumplist do={\r
\n /ip arp remove $i\r
\n}"
/tool graphing interface
add interface="ether6-Fiber"
/tool graphing queue
add simple-queue=Subaru
[admin@Main] >