can an iSeries vsr1 shares a website with two different subnest?

Posted on 2014-12-11
Last Modified: 2014-12-17
here is how my scenario is:

I have two subnets:  192.168.3.x  &  192.168.150.x

when I access the website from 150.x there is no problem.    When I tried to access the website from 3.x, it wouldn't go.   My objective is to ensure both 150.x and 3.x users can access the site.  

the website is originally created and reside on 150.x
Question by:mwauki
  • 7
  • 6
  • 3
LVL 57

Expert Comment

ID: 40496809
From a host on the 192.168.3.x subnet can you ping the IP address of the iSeries?

From the iSeries can you ping a host on the 192.168.3.x subnet?

Do you have a router between the two subnets?
LVL 34

Expert Comment

by:Gary Patterson
ID: 40496923
Short answer is "yes", of course.  Web servers communicate with client computers on other networks - even networks across the world from each other - every second of every day.

When two hosts on different networks need to communicate via IP, they each need to be able to find a route to each other.  Since they apparently reside on different subnets (I'm just assuming these are class C subnets, since you didn't tell us), you'll need some device serving as a router between these two networks, and the client and the host each need to know to forward traffic destined for the other network to that router.

So for example:

-- Either needs a default route set to (default gateway)
-- Or a static route configured for 192.168.3.x via

   Router1 Interface1 -
   Router1 Interface2 -

-- either needs a default route set to (default gateway)
-- Or a static route configured for 192.168.150.x via

Sometimes the problem is as simple as one of the systems not having a default gateway configured.  When this is the case, the host can communicate with other hosts on the same subnet, but nothing else.

Suggest you post the following:

Blank out left two octets of any public addresses, but leave private addresses alone.

iSeries CFGTCP option 1
iSeries CFGTCP option 2

Same information from client - IP address, subnet mask, default gateway, static routes.

Also, determine if the default gateway on each system is pointing to the same router, or to different routers.  You may need some help from a network admin to make this determination if you aren't familiar with the network configuration.

Author Comment

ID: 40497084
giltjr, yes, both subnets can ping each other no problem.  and yes, two routers between the two subnets. router1 with 3.x and router2 with 150x.
LVL 34

Expert Comment

by:Gary Patterson
ID: 40497155
Subnets don't ping anything. Hosts ping other hosts.  

The question is, can the client ping the server, and can the server ping the client?  If so, then both are configured properly to route traffic to each other, and your problem is elsewhere.  For example, perhaps there is a firewall that is blocking TCP port 8- between the two hosts.

Author Comment

ID: 40497170
thanks Gary.  reading your entry made me realize I didn't put the whole detail in.
this is the details of what I have:

pc1@ router1 192.168.3.x, pc2@ 192.168.4.x  & iseries (server)@ router3 192.168.150.x with multiple NIC.

Pc1 & Pc2 are connected via vpn tunnel.   objective is to have pc1&pc2  access website on iSeries.

I didn't want to create a vpn between iseries and pc1 & pc2.   so what I did was, use one of the nics on the iseries to connect to router1 (192.168.3.x).  Now the iseries has two nics with two different subnets (192.168.3.x (nic2), 192.168.150.x (nic1).

given that iseries is now on 3.x, I am able to ping iseries from pc1 and viseversa.

given that both pc1, pc2 can ping the iseries and viseversa,  I tried to access the website on the iseries from both pc1 and pc2 but failed.  everytime I tried to access the website, I could see a banner in the status showing " accessing website on 192.168.150.x... then it failed.

keep in mind, when I'm on the 192.168.150.x subnet, the website comes up fine.

thank you.
LVL 34

Expert Comment

by:Gary Patterson
ID: 40497243
Ok.  That's a completely different matter.  Seems more complex than it has to be, too, but maybe you have a reason.

Sounds like you forgot to modify your web server configuration to run on the new 192.168.3.x address.  Are you running Apache?

Author Comment

ID: 40497246
yes, running on Apache

Author Comment

ID: 40497250
yes its setup that way for security reasons.  thanks
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 40497267
And did you modify your Apache config to bind the 192.168.3.x interface?

Author Comment

ID: 40499895
thanks, Gary.   added the binding but now the site don't wanna come up.
LVL 57

Expert Comment

ID: 40500262
What version of Apache are you running?

I don't know where Apache stores its logs on iSeries, but what message are you seeing?
LVL 34

Expert Comment

by:Gary Patterson
ID: 40500494
Suggest you share your Apache config and, as giltjr requests, error log showing startup error.

Author Comment

ID: 40502016
here is the config:

  1    #2014
  2    Listen *:3080
  3    Listen 192.168.3.x:3080
  4    DocumentRoot /www/xxx/htdocs
  5    TraceEnable Off
  6    Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
  7    LogFormat "%h %T %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  8    LogFormat "%{Cookie}n \"%r\" %t" cookie
  9    LogFormat "%{User-agent}i" agent
  10    LogFormat "%{Referer}i -> %U" referer
  11    LogFormat "%h %l %u %t \"%r\" %>s %b" common
  12    LogMaint logs/error_log 30 0
  13    AccessFileName .htaccess
  14    SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
  15    SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
  16    SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
  17    SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
  18    SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
  19    SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
  20    DirectoryIndex index.html
  21    <Directory />
  22         Order Deny,Allow
  23         Deny From all
  24    </Directory>
  25    <Directory /www/xxx/htdocs>
  26         Order Allow,Deny
  27         Allow From all
  28    </Directory>
  29    ServerUserID xxxWNR
  30    CGIConvMode %%EBCDIC/EBCDIC%%
  31    Alias /xxxx/ /xxxx/
  32    ScriptAliasMatch ^/xxxxx/(.*) /QSYS.LIB/TIMEINIT.LIB/$1.PGM
  33    AliasMatch ^/xxxx/(.*) /xxxx/$1
  34    Redirect 307 /webaccess http://192.168.150.x:3080/xxx/clw0001
  35    Redirect 307 /employee http://192.168.150.x:3080/xxx/clw0041
  36    <Directory /xxx/>
  37        Allow From All
  38    </Directory>
  39    <Directory /QSYS.LIB/TIMEINIT.LIB/>
  40        Allow From All
  41    </Directory>
LVL 57

Accepted Solution

giltjr earned 250 total points
ID: 40502436
If you just have the two IP addresses on the iSeries since you have "Listen *:3080" you don't need "Listen 192.168.3.x:3080"

"Listen *:3080" tells Apache to listen on port 3080 on all/any IP addresses that this host has open.

"Listen 192.168.3.x:3080" tells Apache to listen on port 3080 on just IP address 192.168.3.x.  This would have been before, assuming that the iSeries only had one IP address.

If the iSeries has more that the two IP addresses you have mentioned here and you don't want Apache listening on them, then you need to code:

Listen 192.168.3.x:3080
Listen 192.168.150.x:3080

And remove the "Listen *:3080"

Also with the Redirect statements you have you do realize that when somebody access /webaccess or /employee they are going to be forced to go to the 192.168.150.x address.  Which means that you need to have the correct routing setup for all other IP subnets.
LVL 34

Expert Comment

by:Gary Patterson
ID: 40502850
Sounds like there is intentionally no routing set up for unexplained "security reasons".  

If this was me, and I had security requirements, then I'd have the two networks separated by a firewall and I'd be using ACLs (and possibly NAT) to restrict access between the two networks.  That way I could just publish on the one original address and let everyone access it.

I don't understand the network or the security requirements well enough to recommend a proper network design, though.   If you'd like to explain your requirements in detail, I'd be happy to make some suggestions.

Author Comment

ID: 40504451
thanks Gary and giltjr!  issue resolved...  additional listening port and routing path.

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
Samba is the de-facto standard program (or, more correctly: suite of programs) that UNIX and Linux systems use to share files with Microsoft Windows (and more recently, Mac OS-X) systems. Currently, there are 2 common versions of Samba available,…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now