can an iSeries vsr1 shares a website with two different subnest?

mwauki used Ask the Experts™
here is how my scenario is:

I have two subnets:  192.168.3.x  &  192.168.150.x

when I access the website from 150.x there is no problem.    When I tried to access the website from 3.x, it wouldn't go.   My objective is to ensure both 150.x and 3.x users can access the site.  

the website is originally created and reside on 150.x
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

From a host on the 192.168.3.x subnet can you ping the IP address of the iSeries?

From the iSeries can you ping a host on the 192.168.3.x subnet?

Do you have a router between the two subnets?
Gary PattersonVP Technology / Senior Consultant

Short answer is "yes", of course.  Web servers communicate with client computers on other networks - even networks across the world from each other - every second of every day.

When two hosts on different networks need to communicate via IP, they each need to be able to find a route to each other.  Since they apparently reside on different subnets (I'm just assuming these are class C subnets, since you didn't tell us), you'll need some device serving as a router between these two networks, and the client and the host each need to know to forward traffic destined for the other network to that router.

So for example:

-- Either needs a default route set to (default gateway)
-- Or a static route configured for 192.168.3.x via

   Router1 Interface1 -
   Router1 Interface2 -

-- either needs a default route set to (default gateway)
-- Or a static route configured for 192.168.150.x via

Sometimes the problem is as simple as one of the systems not having a default gateway configured.  When this is the case, the host can communicate with other hosts on the same subnet, but nothing else.

Suggest you post the following:

Blank out left two octets of any public addresses, but leave private addresses alone.

iSeries CFGTCP option 1
iSeries CFGTCP option 2

Same information from client - IP address, subnet mask, default gateway, static routes.

Also, determine if the default gateway on each system is pointing to the same router, or to different routers.  You may need some help from a network admin to make this determination if you aren't familiar with the network configuration.
mwaukiSystems Engineer


giltjr, yes, both subnets can ping each other no problem.  and yes, two routers between the two subnets. router1 with 3.x and router2 with 150x.
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Gary PattersonVP Technology / Senior Consultant

Subnets don't ping anything. Hosts ping other hosts.  

The question is, can the client ping the server, and can the server ping the client?  If so, then both are configured properly to route traffic to each other, and your problem is elsewhere.  For example, perhaps there is a firewall that is blocking TCP port 8- between the two hosts.
mwaukiSystems Engineer


thanks Gary.  reading your entry made me realize I didn't put the whole detail in.
this is the details of what I have:

pc1@ router1 192.168.3.x, pc2@ 192.168.4.x  & iseries (server)@ router3 192.168.150.x with multiple NIC.

Pc1 & Pc2 are connected via vpn tunnel.   objective is to have pc1&pc2  access website on iSeries.

I didn't want to create a vpn between iseries and pc1 & pc2.   so what I did was, use one of the nics on the iseries to connect to router1 (192.168.3.x).  Now the iseries has two nics with two different subnets (192.168.3.x (nic2), 192.168.150.x (nic1).

given that iseries is now on 3.x, I am able to ping iseries from pc1 and viseversa.

given that both pc1, pc2 can ping the iseries and viseversa,  I tried to access the website on the iseries from both pc1 and pc2 but failed.  everytime I tried to access the website, I could see a banner in the status showing " accessing website on 192.168.150.x... then it failed.

keep in mind, when I'm on the 192.168.150.x subnet, the website comes up fine.

thank you.
Gary PattersonVP Technology / Senior Consultant

Ok.  That's a completely different matter.  Seems more complex than it has to be, too, but maybe you have a reason.

Sounds like you forgot to modify your web server configuration to run on the new 192.168.3.x address.  Are you running Apache?
mwaukiSystems Engineer


yes, running on Apache
mwaukiSystems Engineer


yes its setup that way for security reasons.  thanks
Gary PattersonVP Technology / Senior Consultant
And did you modify your Apache config to bind the 192.168.3.x interface?
mwaukiSystems Engineer


thanks, Gary.   added the binding but now the site don't wanna come up.
Top Expert 2014

What version of Apache are you running?

I don't know where Apache stores its logs on iSeries, but what message are you seeing?
Gary PattersonVP Technology / Senior Consultant

Suggest you share your Apache config and, as giltjr requests, error log showing startup error.
mwaukiSystems Engineer


here is the config:

  1    #2014
  2    Listen *:3080
  3    Listen 192.168.3.x:3080
  4    DocumentRoot /www/xxx/htdocs
  5    TraceEnable Off
  6    Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
  7    LogFormat "%h %T %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  8    LogFormat "%{Cookie}n \"%r\" %t" cookie
  9    LogFormat "%{User-agent}i" agent
  10    LogFormat "%{Referer}i -> %U" referer
  11    LogFormat "%h %l %u %t \"%r\" %>s %b" common
  12    LogMaint logs/error_log 30 0
  13    AccessFileName .htaccess
  14    SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
  15    SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
  16    SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
  17    SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
  18    SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
  19    SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
  20    DirectoryIndex index.html
  21    <Directory />
  22         Order Deny,Allow
  23         Deny From all
  24    </Directory>
  25    <Directory /www/xxx/htdocs>
  26         Order Allow,Deny
  27         Allow From all
  28    </Directory>
  29    ServerUserID xxxWNR
  30    CGIConvMode %%EBCDIC/EBCDIC%%
  31    Alias /xxxx/ /xxxx/
  32    ScriptAliasMatch ^/xxxxx/(.*) /QSYS.LIB/TIMEINIT.LIB/$1.PGM
  33    AliasMatch ^/xxxx/(.*) /xxxx/$1
  34    Redirect 307 /webaccess http://192.168.150.x:3080/xxx/clw0001 
  35    Redirect 307 /employee http://192.168.150.x:3080/xxx/clw0041 
  36    <Directory /xxx/>
  37        Allow From All
  38    </Directory>
  39    <Directory /QSYS.LIB/TIMEINIT.LIB/>
  40        Allow From All
  41    </Directory>
Top Expert 2014
If you just have the two IP addresses on the iSeries since you have "Listen *:3080" you don't need "Listen 192.168.3.x:3080"

"Listen *:3080" tells Apache to listen on port 3080 on all/any IP addresses that this host has open.

"Listen 192.168.3.x:3080" tells Apache to listen on port 3080 on just IP address 192.168.3.x.  This would have been before, assuming that the iSeries only had one IP address.

If the iSeries has more that the two IP addresses you have mentioned here and you don't want Apache listening on them, then you need to code:

Listen 192.168.3.x:3080
Listen 192.168.150.x:3080

And remove the "Listen *:3080"

Also with the Redirect statements you have you do realize that when somebody access /webaccess or /employee they are going to be forced to go to the 192.168.150.x address.  Which means that you need to have the correct routing setup for all other IP subnets.
Gary PattersonVP Technology / Senior Consultant

Sounds like there is intentionally no routing set up for unexplained "security reasons".  

If this was me, and I had security requirements, then I'd have the two networks separated by a firewall and I'd be using ACLs (and possibly NAT) to restrict access between the two networks.  That way I could just publish on the one original address and let everyone access it.

I don't understand the network or the security requirements well enough to recommend a proper network design, though.   If you'd like to explain your requirements in detail, I'd be happy to make some suggestions.
mwaukiSystems Engineer


thanks Gary and giltjr!  issue resolved...  additional listening port and routing path.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial