Page 1 of 1

Windows Domain Controller blocked by Mikrotik firewall?

Posted: Wed Jun 13, 2018 2:24 pm
by mikrotik33
Hi,

I'm trying to setup a domain controller on my Windows Server 2012. I'm running the domain controller, DNS, and DHCP servers on there.

The DNS appears to be resolving internal domains both forwards and reverse.
The DHCP appears to be allowing computers to connect to the network and obtain IP addresses.

So far, I currently have 2 users and 1 computer setup on the domain controller. I do plan to setup more once i get the current computer up and running. On the computer i've changed it to join the domain i've setup. I've rebooted both the server and the computer. But when i attempt to log in using a domain user on the computer registered with the domain, it tells me "There are currently no logon servers available to service the logon requests". And i'm stuck at the log in screen, unless i decide to log in using a local account. I get a response when i ping the server and like i say, the DHCP and DNS appears to properly functioning.

I don't understand what i've missed, so i'm coming to the conclussion that the firewall in my Mikrotik might be blocking the connection to the domain controller?

I didn't setup the Mikrotik network. I inherited it only a few weeks ago. I know it's been alive for over 2 years. I have one RB750G2 and two HAP AC lites acting as access points.

I don't understand the firewall at all. It's nothing like i've seen before in Microsoft's, Zonealarm's, or Symantec's firewalls.

May someone help me out please? Is there a rule in place blocking the domain controller connection? Or do i need to enable a rule?

I've placed an export of the configuration in pastebin. I've obviously replaced the sensitive information.

https://pastebin.com/ZretH8aE

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Wed Jun 13, 2018 3:58 pm
by karlisi
Your AD DC IP is 192.168.0.200 and have DHCP server on it? If so, why to use DHCP on Mikrotik? 2 DHCP servers in one network is a big mess. Disable DHCP server and DHCP relay on Mikrotik and use Windows DHCP. Configure it properly to give Windows DNS server address as only DNS server for clients. Remember to configure DNS forwarders on Windows server, to resolve addresses outside your LAN.

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Wed Jun 13, 2018 5:30 pm
by mikrotik33
Your AD DC IP is 192.168.0.200 and have DHCP server on it? If so, why to use DHCP on Mikrotik? 2 DHCP servers in one network is a big mess. Disable DHCP server and DHCP relay on Mikrotik and use Windows DHCP. Configure it properly to give Windows DNS server address as only DNS server for clients. Remember to configure DNS forwarders on Windows server, to resolve addresses outside your LAN.
I've disabled the DHCP server on the RouterBoard of Mikrotik's. I haven't deleted it yet, because i'm a little scared that i'll take the network down. I'm working on a live network.

It turned out to be a Windows issue. The computer dropped the network connection when the session ended or it was rebooted. I got it working by hardwiring the computer in to the network and it found my domain controller immediately.

I would like to learn to learn about how to configure a Mikrotik firewall though because i don't see how the rules in my current setup differ. When i use the GUI interface, it feels like all of the input boxes are not selected/grayed out. What's a good resource to learn how to configure the firewall?

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Wed Jun 13, 2018 7:17 pm
by diddie17
The Mikrotik firewall, based on the Linux iptables firewall functionallity. If you can't find the Mikrotik resources you need on the forum, there should be lots of iptables examples that can be easily ported across.

I'm not a firewall expert, I know just enough to get myself in trouble. I have seen some good posts for starters by anav on this topic though. See this thread viewtopic.php?f=13&t=135384

Just be a bit careful though, it's easy to lock yourself out of the firewall by carelessly applying a filter that has a wider reaching effect than you expected. Backup and restore is your friend in this situation :-)

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Thu Jun 14, 2018 1:36 pm
by CZFan
Just remember that if the devices are on the same LAN, the traffic will not go via the firewall in order for them to communicate with each other, i.o.w., they will communicate directly with each other

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Thu Jun 14, 2018 3:49 pm
by manelfl
Hi.
When I have problems with traffic throwing mikrotik, tool sniffer help me to solve it.

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Thu Jun 14, 2018 9:29 pm
by CZFan
Hi.
When I have problems with traffic throwing mikrotik, tool sniffer help me to solve it.

First, I think you need to learn some Forum Etiquette, do not hijack someone else's topic / thread

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Thu Jun 14, 2018 9:57 pm
by anav
Bad day, not enough coffee yet CZFAN. I didnt take manelfl's post as hijacking but more as a tip in terms of finding potential sources of information about what is going in router flow using the tools available. It was rather vague without much direction but certainly not evil intended.

To expand upon your point,
devices connected at layer 2 will bypass fw rules
- devices on same LAN, or on same VLAN
- interfaces on same bridge (except VLAN).

To separate device at layer 2 (and thus FW rules may need to be applied)
- ensure the devices or users are on a separate interface or separated by bridge,
for example one has two subnets that differentiate two groups of users)
( 2 subnets applied to: one on bridge and one on interface by itself, or two on different bridges, or two on different interfaces)

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Fri Jun 15, 2018 12:51 am
by jarda
Firewall rules can work on bridge level too. Splitting the horizon is another way to have ports of bridge separated.

Re: Windows Domain Controller blocked by Mikrotik firewall?

Posted: Mon Jun 18, 2018 12:30 pm
by manelfl
First, I think you need to learn some Forum Etiquette, do not hijack someone else's topic / thread
Sorry, it was not my intention.

I didnt take manelfl's post as hijacking but more as a tip in terms of finding potential sources of information about what is going in router flow using the tools available.
This was my intention.
If there is traffic that not goes throw mikrotik, tool sniffer helps to know what traffic is.
If mikrotik receives traffic sends to domain controller and this traffic doesn't leave mikrotik, mikrotik is the problem.