Solved

can an iSeries vsr1 shares a website with two different subnest?

Posted on 2014-12-11
16
279 Views
Last Modified: 2014-12-17
here is how my scenario is:

I have two subnets:  192.168.3.x  &  192.168.150.x

when I access the website from 150.x there is no problem.    When I tried to access the website from 3.x, it wouldn't go.   My objective is to ensure both 150.x and 3.x users can access the site.  

the website is originally created and reside on 150.x
0
Comment
Question by:mwauki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
16 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 40496809
From a host on the 192.168.3.x subnet can you ping the IP address of the iSeries?

From the iSeries can you ping a host on the 192.168.3.x subnet?

Do you have a router between the two subnets?
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40496923
Short answer is "yes", of course.  Web servers communicate with client computers on other networks - even networks across the world from each other - every second of every day.

When two hosts on different networks need to communicate via IP, they each need to be able to find a route to each other.  Since they apparently reside on different subnets (I'm just assuming these are class C subnets, since you didn't tell us), you'll need some device serving as a router between these two networks, and the client and the host each need to know to forward traffic destined for the other network to that router.

So for example:

iSeries 192.168.150.99
-- Either needs a default route set to 192.168.150.99 (default gateway)
-- Or a static route configured for 192.168.3.x via 192.168.150.1

   Router1 Interface1 -192.168.50.1
   Router1 Interface2 - 192.168.3.1

Client 192.168.3.177
-- either needs a default route set to 192.168.3.1 (default gateway)
-- Or a static route configured for 192.168.150.x via 192.168.3.1

Sometimes the problem is as simple as one of the systems not having a default gateway configured.  When this is the case, the host can communicate with other hosts on the same subnet, but nothing else.

Suggest you post the following:

Blank out left two octets of any public addresses, but leave private addresses alone.

iSeries CFGTCP option 1
iSeries CFGTCP option 2

Same information from client - IP address, subnet mask, default gateway, static routes.

Also, determine if the default gateway on each system is pointing to the same router, or to different routers.  You may need some help from a network admin to make this determination if you aren't familiar with the network configuration.
0
 

Author Comment

by:mwauki
ID: 40497084
giltjr, yes, both subnets can ping each other no problem.  and yes, two routers between the two subnets. router1 with 3.x and router2 with 150x.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40497155
Subnets don't ping anything. Hosts ping other hosts.  

The question is, can the client ping the server, and can the server ping the client?  If so, then both are configured properly to route traffic to each other, and your problem is elsewhere.  For example, perhaps there is a firewall that is blocking TCP port 8- between the two hosts.
0
 

Author Comment

by:mwauki
ID: 40497170
thanks Gary.  reading your entry made me realize I didn't put the whole detail in.
this is the details of what I have:

pc1@ router1 192.168.3.x, pc2@ 192.168.4.x  & iseries (server)@ router3 192.168.150.x with multiple NIC.

Pc1 & Pc2 are connected via vpn tunnel.   objective is to have pc1&pc2  access website on iSeries.

I didn't want to create a vpn between iseries and pc1 & pc2.   so what I did was, use one of the nics on the iseries to connect to router1 (192.168.3.x).  Now the iseries has two nics with two different subnets (192.168.3.x (nic2), 192.168.150.x (nic1).

given that iseries is now on 3.x, I am able to ping iseries from pc1 and viseversa.

given that both pc1, pc2 can ping the iseries and viseversa,  I tried to access the website on the iseries from both pc1 and pc2 but failed.  everytime I tried to access the website, I could see a banner in the status showing " accessing website on 192.168.150.x... then it failed.

keep in mind, when I'm on the 192.168.150.x subnet, the website comes up fine.

thank you.
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40497243
Ok.  That's a completely different matter.  Seems more complex than it has to be, too, but maybe you have a reason.

Sounds like you forgot to modify your web server configuration to run on the new 192.168.3.x address.  Are you running Apache?
0
 

Author Comment

by:mwauki
ID: 40497246
yes, running on Apache
0
 

Author Comment

by:mwauki
ID: 40497250
yes its setup that way for security reasons.  thanks
0
 
LVL 35

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 40497267
And did you modify your Apache config to bind the 192.168.3.x interface?

http://www.moko.ru/doc/apache/bind.html
0
 

Author Comment

by:mwauki
ID: 40499895
thanks, Gary.   added the binding but now the site don't wanna come up.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40500262
What version of Apache are you running?

I don't know where Apache stores its logs on iSeries, but what message are you seeing?
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40500494
Suggest you share your Apache config and, as giltjr requests, error log showing startup error.
0
 

Author Comment

by:mwauki
ID: 40502016
here is the config:


  1    #2014
  2    Listen *:3080
  3    Listen 192.168.3.x:3080
  4    DocumentRoot /www/xxx/htdocs
  5    TraceEnable Off
  6    Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
  7    LogFormat "%h %T %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  8    LogFormat "%{Cookie}n \"%r\" %t" cookie
  9    LogFormat "%{User-agent}i" agent
  10    LogFormat "%{Referer}i -> %U" referer
  11    LogFormat "%h %l %u %t \"%r\" %>s %b" common
  12    LogMaint logs/error_log 30 0
  13    AccessFileName .htaccess
  14    SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
  15    SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
  16    SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
  17    SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
  18    SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
  19    SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
  20    DirectoryIndex index.html
  21    <Directory />
  22         Order Deny,Allow
  23         Deny From all
  24    </Directory>
  25    <Directory /www/xxx/htdocs>
  26         Order Allow,Deny
  27         Allow From all
  28    </Directory>
  29    ServerUserID xxxWNR
  30    CGIConvMode %%EBCDIC/EBCDIC%%
  31    Alias /xxxx/ /xxxx/
  32    ScriptAliasMatch ^/xxxxx/(.*) /QSYS.LIB/TIMEINIT.LIB/$1.PGM
  33    AliasMatch ^/xxxx/(.*) /xxxx/$1
  34    Redirect 307 /webaccess http://192.168.150.x:3080/xxx/clw0001 
  35    Redirect 307 /employee http://192.168.150.x:3080/xxx/clw0041 
  36    <Directory /xxx/>
  37        Allow From All
  38    </Directory>
  39    <Directory /QSYS.LIB/TIMEINIT.LIB/>
  40        Allow From All
  41    </Directory>
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 40502436
If you just have the two IP addresses on the iSeries since you have "Listen *:3080" you don't need "Listen 192.168.3.x:3080"

"Listen *:3080" tells Apache to listen on port 3080 on all/any IP addresses that this host has open.

"Listen 192.168.3.x:3080" tells Apache to listen on port 3080 on just IP address 192.168.3.x.  This would have been before, assuming that the iSeries only had one IP address.

If the iSeries has more that the two IP addresses you have mentioned here and you don't want Apache listening on them, then you need to code:

Listen 192.168.3.x:3080
Listen 192.168.150.x:3080

And remove the "Listen *:3080"

Also with the Redirect statements you have you do realize that when somebody access /webaccess or /employee they are going to be forced to go to the 192.168.150.x address.  Which means that you need to have the correct routing setup for all other IP subnets.
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 40502850
Sounds like there is intentionally no routing set up for unexplained "security reasons".  

If this was me, and I had security requirements, then I'd have the two networks separated by a firewall and I'd be using ACLs (and possibly NAT) to restrict access between the two networks.  That way I could just publish on the one original address and let everyone access it.

I don't understand the network or the security requirements well enough to recommend a proper network design, though.   If you'd like to explain your requirements in detail, I'd be happy to make some suggestions.
0
 

Author Comment

by:mwauki
ID: 40504451
thanks Gary and giltjr!  issue resolved...  additional listening port and routing path.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question