Nethserver blocks dc authentication between 2 green zone


we have setup a subnet on a second green interface everything work well
ping, trace, internet the only problem we face is that the PC in the new subnet cannot
reach the DC in the netlogon it seems that nethserver block something for the local domaine to work properly of course DC ping.

I wonder if anyone see that problem before or maybe I need to put something in place to fix this

thanks a lot

Hi @Groupeti

Connecting PCs from several networks (subnets) to NethServers AD is no problem, neither is it to use Nethservers AD from a complete VPN structure of three sites, where all PC authenticated to the AD.

But then again, I’ve NEVER used NethServer as router for my network. I reserve that duty for my OPNsense firewall, a dedicated hardware box handling firewalling, internet access, VPNs, and internally DNS / DHCP for all available internal networks.
NethServers DNS is a little too limited, I need to use it because of AD, but I’ll optimize my environment accordingly.

An AD should, in my opinion, NEVER be on a router / firewall, there are too many issues that can crop up and ruin the day!

My 2 cents

my domain controller is a windows server VM in the network green
the pc is in the network the other green interface
the nethserver is another VM with both interfaces

thanks for the answer

Hi @Groupeti

You might check the Windows firewall on both PC and (especially) AD Server… :slight_smile:

Is your nethServer the default gateway for your AD? (And the PC!)

My 2 cents

But the container is bridged with

If the answer is yes… the server is working as configured, which seems not what you wished for.


yes we tried without FW on both PC same result

sorry I don’t understand (But the container is bridged with
its a VM with 4 network card,
WAN, vlan10, vlan19 and the main netwrok

Did you already check /var/log/firewall.log on the Nethserver? Blocks should be logged.

Maybe there’s a misconfigured firewall rule?

Does the domain join work on the same PC from the main network?

Can you ping the AD by name? (DNS issue?)

The netlogon share isn’t reachable?

1 Like


A “VM” with 4 network cards does not exist, 4 NICs is OK (=logical Interface)…

But using 4 Network interfaces, this does NOT make any sense:

And to which vLAN is the PC connected to? vlan10 or vlan19?
What are the IPs of these vLANs?
To which Interface are these vLANs bridged (or running on)?

My 2 cents

we find it it, was the threat shield that was hijacking the DNS request

thanks a lot for your help

@Andy_Wismer you are right, logical interface


1 Like