Nethserver blocks dc authentication between 2 green zone

Groupeti · December 19, 2022, 7:54pm

Hello

we have setup a subnet 172.19.0.0 on a second green interface everything work well
ping, trace, internet the only problem we face is that the PC in the new subnet cannot
reach the DC in the netlogon it seems that nethserver block something for the local domaine to work properly of course DC ping.

I wonder if anyone see that problem before or maybe I need to put something in place to fix this

thanks a lot

Andy_Wismer · December 19, 2022, 9:32pm

Hi @Groupeti

Connecting PCs from several networks (subnets) to NethServers AD is no problem, neither is it to use Nethservers AD from a complete VPN structure of three sites, where all PC authenticated to the AD.

But then again, I’ve NEVER used NethServer as router for my network. I reserve that duty for my OPNsense firewall, a dedicated hardware box handling firewalling, internet access, VPNs, and internally DNS / DHCP for all available internal networks.
NethServers DNS is a little too limited, I need to use it because of AD, but I’ll optimize my environment accordingly.

An AD should, in my opinion, NEVER be on a router / firewall, there are too many issues that can crop up and ruin the day!

My 2 cents
Andy

Groupeti · December 19, 2022, 9:49pm

hello
my domain controller is a windows server VM in the network 192.168.0.0 green
the pc is in the network 172.19.0.0 the other green interface
the nethserver is another VM with both interfaces

thanks for the answer

Andy_Wismer · December 19, 2022, 11:15pm

Hi @Groupeti

You might check the Windows firewall on both PC and (especially) AD Server…

Is your nethServer the default gateway for your AD? (And the PC!)

My 2 cents
Andy

pike · December 20, 2022, 9:24am

But the container is bridged with 192.168.0.0?

If the answer is yes… the server is working as configured, which seems not what you wished for.

Groupeti · December 20, 2022, 4:24pm

hello

yes we tried without FW on both PC same result

sorry I don’t understand (But the container is bridged with 192.168.0.0?)
its a VM with 4 network card,
WAN, vlan10, vlan19 and the main netwrok 192.168.0.0

mrmarkuz · December 20, 2022, 8:03pm

Did you already check /var/log/firewall.log on the Nethserver? Blocks should be logged.

Maybe there’s a misconfigured firewall rule?

Does the domain join work on the same PC from the main network?

Can you ping the AD by name? (DNS issue?)

The netlogon share isn’t reachable?

Andy_Wismer · December 20, 2022, 8:20pm

@Groupeti

A “VM” with 4 network cards does not exist, 4 NICs is OK (=logical Interface)…

But using 4 Network interfaces, this does NOT make any sense:

And to which vLAN is the PC connected to? vlan10 or vlan19?
What are the IPs of these vLANs?
To which Interface are these vLANs bridged (or running on)?

My 2 cents
Andy

Groupeti · December 20, 2022, 10:09pm

Hello
we find it it, was the threat shield that was hijacking the DNS request

thanks a lot for your help

@Andy_Wismer you are right, logical interface

thanks!!