I am working on setting up a VMWare lab. I have a physical box with which I've installed ESXi 6.7 on. While I'll be adding many more, I currently have 3 vm's; a Windows 2016 Server with no server roles installed, a DC (cloned from the base image of the Windows Server 2016) with DC and DNS roles installed (and configured), and a VyOS router.
A network diagram is below, but the VyOS router has four subnets; one for the DC, one for the Server 2016 box, one that is currently empty, and the other as a route out of the network.
The DC is statically assigned 10.0.1.1. The Server 2016 box is configured for DHCP (DHCP role on the DC), and DHCP is confirmed to work as the box has been assigned 10.0.2.11 (pool is 10.0.2.1-254, with 1-9 reserved (don't know why it didn't take 10, but don't care).
However, it appears I have both a DNS issue as well as routing issue. Specifically, from the DC, I can ping loopback, each VyOS interface, ESXi NIC, management workstation (my desktop), as well as my pfSense firewall. But, I cannot ping the Server2016 box (again, I can ping the interface in its' subnet, but not the box itself) via IP (request timed out) OR hostname (ping request could not find host Server2016), nor can I ping out to 8.8.8.8 or any other external network (reply from 10.0.1.254: destiation unreachable). The same goes from the Server2016 box; I can ping loopback, each VyOS interface, ESXi NIC, workstation, and pfSense, but I cannot ping the DC via IP or hostname (it at least resolves DC1 to the IP, but then gives request timed out), nor can I ping the internet.
I am pretty certain it's simply a/multiple configuration issues. I just simply have not been able to fix it/them yet. My VyOS config (screenshots as I am unable to copy/paste out of the environment) as well as DHCP and DNS config is below:
Any help is extremely appreciated!
I'll take a stab at this. Multiple issues exist.
ping 8.8.8.8)It appears that your NAT configuration is not complete in VyOS. I'm not an expert in VyOS by any means. However, it appears you are supposed to also specify the source addresses to match in the NAT rule. In this case, I believe you need to add
set nat source rule 10 source address '10.0.1.1-10.0.3.254'. Without this, the traffic does not match the NAT rule and therefore the traffic is not NAT'd when it egresses to your home network towards the pfSense box. In this case, pfSense will not have the appropriate routing table or appropriate trust to pass traffic from the virtual networks. NAT hides those addresses and makes all the traffic from the Virtual network appears as a single, trusted system on your home network. The drawback here is that the communication is one way. You can ping your workstation from within the virtual network, but your workstation will not be able to ping or connect to machines in the virtual network. Unless you establish appropriate port forwarding rules in VyOS.By default the Windows firewall is turned on and will block most of that traffic. Try turning off the Windows firewall for testing purposes. If this solves the issue, then add necessary exceptions to the firewall rules. Or, once you get your domain properly functioning, it is really easy to deploy standard firewall rules across all computers in the domain using Group Policy. For instance, you can allow ICMP Echo Request/Replies so that
pingwill work.Server2016resolve to the server's IP address?Your current configuration does not show that you have an A record added to your DNS server that matches the
Server2016name. If this were a fully functioning AD domain, then systems that are part of the domain are typically allowed to add and update their own A records on the DNS server, so this process is automatic. However, becauseServer2016is not yet joined to the domain, it does not have permission to add / update records on the DNS server. Thus, you must add it manually.