Community discussions

 
mikrotik33
just joined
Topic Author
Posts: 13
Joined: Sun May 20, 2018 9:36 pm

Windows Domain Controller blocked by Mikrotik firewall?

Wed Jun 13, 2018 2:24 pm

Hi,

I'm trying to setup a domain controller on my Windows Server 2012. I'm running the domain controller, DNS, and DHCP servers on there.

The DNS appears to be resolving internal domains both forwards and reverse.
The DHCP appears to be allowing computers to connect to the network and obtain IP addresses.

So far, I currently have 2 users and 1 computer setup on the domain controller. I do plan to setup more once i get the current computer up and running. On the computer i've changed it to join the domain i've setup. I've rebooted both the server and the computer. But when i attempt to log in using a domain user on the computer registered with the domain, it tells me "There are currently no logon servers available to service the logon requests". And i'm stuck at the log in screen, unless i decide to log in using a local account. I get a response when i ping the server and like i say, the DHCP and DNS appears to properly functioning.

I don't understand what i've missed, so i'm coming to the conclussion that the firewall in my Mikrotik might be blocking the connection to the domain controller?

I didn't setup the Mikrotik network. I inherited it only a few weeks ago. I know it's been alive for over 2 years. I have one RB750G2 and two HAP AC lites acting as access points.

I don't understand the firewall at all. It's nothing like i've seen before in Microsoft's, Zonealarm's, or Symantec's firewalls.

May someone help me out please? Is there a rule in place blocking the domain controller connection? Or do i need to enable a rule?

I've placed an export of the configuration in pastebin. I've obviously replaced the sensitive information.

https://pastebin.com/ZretH8aE
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 164
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Windows Domain Controller blocked by Mikrotik firewall?

Wed Jun 13, 2018 3:58 pm

Your AD DC IP is 192.168.0.200 and have DHCP server on it? If so, why to use DHCP on Mikrotik? 2 DHCP servers in one network is a big mess. Disable DHCP server and DHCP relay on Mikrotik and use Windows DHCP. Configure it properly to give Windows DNS server address as only DNS server for clients. Remember to configure DNS forwarders on Windows server, to resolve addresses outside your LAN.
---
Karlis
 
mikrotik33
just joined
Topic Author
Posts: 13
Joined: Sun May 20, 2018 9:36 pm

Re: Windows Domain Controller blocked by Mikrotik firewall?

Wed Jun 13, 2018 5:30 pm

Your AD DC IP is 192.168.0.200 and have DHCP server on it? If so, why to use DHCP on Mikrotik? 2 DHCP servers in one network is a big mess. Disable DHCP server and DHCP relay on Mikrotik and use Windows DHCP. Configure it properly to give Windows DNS server address as only DNS server for clients. Remember to configure DNS forwarders on Windows server, to resolve addresses outside your LAN.
I've disabled the DHCP server on the RouterBoard of Mikrotik's. I haven't deleted it yet, because i'm a little scared that i'll take the network down. I'm working on a live network.

It turned out to be a Windows issue. The computer dropped the network connection when the session ended or it was rebooted. I got it working by hardwiring the computer in to the network and it found my domain controller immediately.

I would like to learn to learn about how to configure a Mikrotik firewall though because i don't see how the rules in my current setup differ. When i use the GUI interface, it feels like all of the input boxes are not selected/grayed out. What's a good resource to learn how to configure the firewall?
 
diddie17
newbie
Posts: 26
Joined: Thu Sep 14, 2017 8:53 pm
Location: UK

Re: Windows Domain Controller blocked by Mikrotik firewall?

Wed Jun 13, 2018 7:17 pm

The Mikrotik firewall, based on the Linux iptables firewall functionallity. If you can't find the Mikrotik resources you need on the forum, there should be lots of iptables examples that can be easily ported across.

I'm not a firewall expert, I know just enough to get myself in trouble. I have seen some good posts for starters by anav on this topic though. See this thread viewtopic.php?f=13&t=135384

Just be a bit careful though, it's easy to lock yourself out of the firewall by carelessly applying a filter that has a wider reaching effect than you expected. Backup and restore is your friend in this situation :-)
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 749
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: Windows Domain Controller blocked by Mikrotik firewall?

Thu Jun 14, 2018 1:36 pm

Just remember that if the devices are on the same LAN, the traffic will not go via the firewall in order for them to communicate with each other, i.o.w., they will communicate directly with each other
MTCNA, MTCTCE & MTCRE
 
manelfl
newbie
Posts: 26
Joined: Mon May 18, 2015 12:55 pm

Re: Windows Domain Controller blocked by Mikrotik firewall?

Thu Jun 14, 2018 3:49 pm

Hi.
When I have problems with traffic throwing mikrotik, tool sniffer help me to solve it.
 
User avatar
CZFan
Forum Veteran
Forum Veteran
Posts: 749
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: Windows Domain Controller blocked by Mikrotik firewall?

Thu Jun 14, 2018 9:29 pm

Hi.
When I have problems with traffic throwing mikrotik, tool sniffer help me to solve it.

First, I think you need to learn some Forum Etiquette, do not hijack someone else's topic / thread
MTCNA, MTCTCE & MTCRE
 
anav
Long time Member
Long time Member
Posts: 667
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Windows Domain Controller blocked by Mikrotik firewall?

Thu Jun 14, 2018 9:57 pm

Bad day, not enough coffee yet CZFAN. I didnt take manelfl's post as hijacking but more as a tip in terms of finding potential sources of information about what is going in router flow using the tools available. It was rather vague without much direction but certainly not evil intended.

To expand upon your point,
devices connected at layer 2 will bypass fw rules
- devices on same LAN, or on same VLAN
- interfaces on same bridge (except VLAN).

To separate device at layer 2 (and thus FW rules may need to be applied)
- ensure the devices or users are on a separate interface or separated by bridge,
for example one has two subnets that differentiate two groups of users)
( 2 subnets applied to: one on bridge and one on interface by itself, or two on different bridges, or two on different interfaces)
 
jarda
Forum Guru
Forum Guru
Posts: 7333
Joined: Mon Oct 22, 2012 4:46 pm

Re: Windows Domain Controller blocked by Mikrotik firewall?

Fri Jun 15, 2018 12:51 am

Firewall rules can work on bridge level too. Splitting the horizon is another way to have ports of bridge separated.
 
manelfl
newbie
Posts: 26
Joined: Mon May 18, 2015 12:55 pm

Re: Windows Domain Controller blocked by Mikrotik firewall?

Mon Jun 18, 2018 12:30 pm

First, I think you need to learn some Forum Etiquette, do not hijack someone else's topic / thread
Sorry, it was not my intention.

I didnt take manelfl's post as hijacking but more as a tip in terms of finding potential sources of information about what is going in router flow using the tools available.
This was my intention.
If there is traffic that not goes throw mikrotik, tool sniffer helps to know what traffic is.
If mikrotik receives traffic sends to domain controller and this traffic doesn't leave mikrotik, mikrotik is the problem.

Who is online

Users browsing this forum: No registered users and 8 guests