Business Community > Routers > Windows domain logon behind NAT / Omada ER7212 PC
< Routers

Windows domain logon behind NAT / Omada ER7212 PC

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Windows domain logon behind NAT / Omada ER7212 PC

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Windows domain logon behind NAT / Omada ER7212 PC
Windows domain logon behind NAT / Omada ER7212 PC
2023-09-26 07:56:47 - last edited 2023-09-27 06:36:58
Tags: #NAT
Model: ER7212PC  
Hardware Version: V1
Firmware Version: 1.1.1

We are running a new Omada ER7212PC on an external network, that is connected to our main network via fiber.
Fiber connection goes directly to the internal corporate network. The Omada ER7212PC only does a NAT to seperate the network behind.
Since the installation of the Omada Router windows domain logon does not work anymore behind the NAT of the Omada ER7212PC.
This was never a problem with our old hardware.
Is there a known problem? I´ve never had issues running domain logons behind a single NAT with other hardware.

  0      
 
  0      
 
#1
Options
10 Reply
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 06:57:49 - last edited 2023-09-27 07:07:38

  @DeathStar 

 

Hi, what do you mean by windows domain logon? You cannot login to the user account registered in the AD when stating the Windows system or something else? Screenshots and topology can be helpful.

"SY" is a 22-year old boy presenting to the tp-link community with brain empty. Take care of yourself, and be well. Loycechan030
  0  
  0  
#2
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 07:22:40 - last edited 2023-09-27 07:24:11

  @Loycelover- 

 

Attached the problematic topology in screenshot.
Think it makes the scenario clear.

After the change to Omada, the PC cannot contact domain controllers anymore.
DNS resolution works, everything else is working. Only the windows domain connection is gone.

  0  
  0  
#3
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 07:42:51

  @DeathStar 

 

Yeah your topology makes it much clearer, so are all the other devices like APs working well? And is it that you failed to login as the domain user or you can login but you cannot contact to any devices in the domain or just the DC? You said that DNS is working well so you mean you can resolve DC's IP address but no response when you ping?

"SY" is a 22-year old boy presenting to the tp-link community with brain empty. Take care of yourself, and be well. Loycechan030
  0  
  0  
#4
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 08:23:34

  @Loycelover- 

 

Nslookup resolves all DCs, Ping to the DCs works flawless.

The moment i connect the domain integrated pc to the Omada (does not matter if wired or wireless), the domain logon takes ages, network is unbelievably slow then.

Even rebooting takes ages,because windows takes very long to get to the logon screen.

  0  
  0  
#5
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 08:45:07

  @DeathStar 

can you point out the network diagram and the symptom with screenshots and IP address?

would be better with IP added in the diagram to illustrate. the whole network diagram. 

so you mean the devices in er7212pc lan, having trouble accessing the ISP end(which is also a lan) devices? 

in fact, you should be okay to access any isp end devices. quite strange. need more info. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#6
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 09:00:16

  @Tedd404 

 

I´ve added some more info into the diagram to make the config more clear.
And yes, you are right.
Problem is to access the Active Directory Domain behind the NAT.
Everything else is working.

  0  
  0  
#7
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 09:34:58

  @DeathStar 

so i assume that you should use port forward. when you added a nat in between, you got the problem, which could be the case. 

 

confirm your question, you cannot access the DC on lan 192.168.141.0/24 from 192.168.143.0/24. right? since I am not very sure about the windows AD, I am not sure what port is needed. or why it blocks due to the NAT. 

that could be not under the same lan.

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#8
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-27 10:49:03 - last edited 2023-09-27 11:20:01

  @Tedd404 

Regarding to Microsoft, exactly this scenario is more or less supported:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/support-for-active-directory-over-nat

It has worked, with our "old" hardware from other vendors (Lancom, Cisco).
We configured the new Omada hardware exactly the same and it did not work anymore. It was a NAT since decades.

In the end i think, there is something that is a little bit different inside the Omada router.

The network behind the NAT should be behind a NAT. Has its purpose, that it is done this way.
And yes, you are right.
The client PC should stay behind the NAT, and access the AD domain on the other side of the NAT:

  0  
  0  
#9
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-28 02:32:10

  @DeathStar 

you have cisco hardware, what was the model number? can you confirm it's a router w/ NAT? or a network switch? 

since the article you provided did not offer any details about port forward, and MS suggested you should avoid NAT, that might be the issue. 

you can try to DMZ the devices first and see if it fixes the issue. if no, you should find a workaround from MS forum. the omada router is a router with NAT and it cannot disable NAT. could not be a suitable device for your environment. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#10
Options
Re:Windows domain logon behind NAT / Omada ER7212 PC
2023-09-28 05:45:01
We use Lancom LN1700. These are very capable wireless APs, who have very strong routing functionality. Cisco were only the switches we use. Think this is sadly leading nowhere, the hardware will go back to our vendor.
  0  
  0  
#11
Options

Information

Helpful: 0

Views: 871

Replies: 10

Tags

NAT
Related Articles
ER7212 VLAN Configuration
742 0
 ER7212 DNS over Https
162 0
ES205GP on ER7212
15 0
I can't access router by domain
595 0
 How to Disable NAT on Omada Router
349 0
 ER7212PC bug with no NAT reflection / hairpinning / loopback
886 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.