2

I'm trying to implement a small lab infrastructure with VSphere with multiple LAN, 2 of the LANs are :

  • Work : with employee laptops
  • Trusted : With all my server (except web that is in a separate DMZ)

Between those LANs I've a CentOS host with multiple network adapters that is used as an Internal firewall and that is routing all the traffic between LANs.

In the trusted LAN I have a windows domain controller with a domain called "domain.testing" and I try to connect to it from a client computer in the Work LAN. Each time I try to connect to the Domain Controller I can see on the CentOS host (with tcpdump) that the client is sending an UDP NetBios broadcast on port 137 and, even if I disable firewalld (which is used for the firewall), the broadcast is not forwarded from the Work LAN to the Trusted LAN. On the Domain controller side I can't see any broadcast from the Client host.

I've seen on Internet that I should activate net directed broadcast but I can't find how to do that with CentOS.

Here is a small drawing of this infrastructure :

|Client| ------------(ens192) |CentOS| (ens160)------------- |Domain Controller|
10.2.0.2             10.2.0.1          10.3.0.1                  10.3.0.4

Here is the firewalld rules:

# firewall-cmd --zone=trusted --list-all
trusted (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: dns http https kerberos ldap ldaps mdns rpc-bind samba-client samba
  ports: 514/tcp 6514/tcp
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

# firewall-cmd --zone=work --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: dns http https kerberos ldap ldaps mdns rpc-bind samba samba-client
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

Here is the routing on CentOS :

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.2.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens192
10.3.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens160

And here is the output of tcpdump after I tried to add the domain to the client host :

# tcpdump -i ens192 -nn
15:35:31.018000 IP 10.2.0.2.137 > 10.2.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:35:31.755710 IP 10.2.0.2.137 > 10.2.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
15:35:32.505686 IP 10.2.0.2.137 > 10.2.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
tomatediabolik
  • 43
  • 1
  • 5

0 Answers0