Prerequisite for join domain

Elleni · May 26, 2020, 2:57pm

I have two netservers, one locally and one on a remote location. The locations are connected via IPSec site-to-site vpn. I can ping the domain controler with the remote nethserver, but to be able to join the domain, I need to issue shorewall clear on the local server which carries the domaincontroler.

Question: What firewall rule is needed in order to not being necessary to stop shorewall for join domain? And or in which log I can dig to find the blocker?

I already tried to create a firewall rule with
source - remote lan and
destination - green network, red network and nethserver pdc ip and ad container ip.

But it doesn’t let me join. After filling in the pingable nsdc ip, I hit checking but it does not continue and ask for credentials for joining domain. As soon as I issue shorewall clear it immediatelly would work. Any help would be really apreciated.

Andy_Wismer · May 26, 2020, 6:22pm

@Elleni

Hi

If you have a VPN connection, fill in the “Trusted Networks” in both Servers.
-> This creates fw rules…
Set the DNS of the second server to the IP of the first NethServer (Use both AD and NethServers IP = 2 DNS Servers…)

Andy

Elleni · May 26, 2020, 8:34pm

Done, but unfortunatelly with no luck. Apparently shorewall/firewall is still blocking the join domain of the remote server on the vpn network while it remains pingable. I’d like to share some log to help debugging this.

Whats strange is that even though the ip of the primary nethserver and from it’s nsdc container are pingable, cockpit started to claim that one or multiple domain servers do not reply, as soon as I added them on the remote server as dns entries, . What makes me think that shorewall might be the problem is that issuing shorewall clear immediatly removes the blocker and I could join the domain even without those two ips as dns, but I doubt I should as I 'd like to first have a correct networkconfiguration. The message about dns servers not replying is persisting though, even with shorewall stopped and even though they successfully reply to pings, even with shorewall started and indeed dns name resolution stopped working with those two ips added…

Maybe a problem on my router/vpn configuration? By the way I wanted to create a site-to-site vpn tunnel on the green network interface (3rd network called nethlan in my opnsense config where pdc neth is dc and dhcp server). While I was able to ping everything from the pdc / company site direction to the hosted server / backup domain controler, the way back did not work, meaning I could not get a ping reply from anything on the internal network when pinging ressources from the hosted side.

That’s why I created a site-to-site vpn with the standard lan interface of opnsense which represents the red network for the backupdomain controller and with this vpn I can ping in both directions, so on OPNsense router there obviously is some difference on the network interfaces nethlan and lan and its corresponding rules or configuration, that prevents network connectivity from nethlan interface to the vpn, while it works from vpn to nethlan. And as said, this problem does not occur if I use the lan interface for tunneling instead.

It’s a pitty, as if I would succeed to solve the OPNsense interfaces problem, I could have a connection directly to the green interface, which probably would also solve the nethserver, as I imagine that it would trust a connection coming through the green interface instead of comming from red…

Or do you think, I should joing the domain anyway while shorewall is stopped and the fact of the being in the same domain would make my pdc controller and its firewall behave well with the remote nethserver? Out of couriosity and frustration I joined domain anyway and it was forseable that signal-event firewall-adjust has the effect, that I cannot open Users & Groups menu as it obviously blocks query…

Another thing, I might try tommorrow is to establish a direct vpn connection from nethserver to nethserver, and see where it gets…

Anyway, it makes me sad that everything I touch seems to attract Murphy, and everything that can go wrong always goes wrong. So I waste a hell of a lot of time, hopefully at least learning from it…

Elleni · May 27, 2020, 2:00pm

Reporting my (non-) progress here, in the hope tha @support could reach me and share some insight about how shorewall access prohipition could be debugged.

IPSec VPN did not work, probably because there already is a IPSec VPN enabled between the two sites on their respective routers and I suspect a ipsec within an ipsec is not possible.
OpenVPN creation seems straight forward but on the client site the service is enabled but the tunnel is not created error log shows broken pipe…

So my solution was removing everything on the pdc node that requires a second nic and only have domain controller running on it, and setting up a separate nethserver for firewall jobs. Thanks for the Talk with you Andy