can an iSeries vsr1 shares a website with two different subnest?

here is how my scenario is:

I have two subnets:  192.168.3.x  &  192.168.150.x

when I access the website from 150.x there is no problem.    When I tried to access the website from 3.x, it wouldn't go.   My objective is to ensure both 150.x and 3.x users can access the site.  

the website is originally created and reside on 150.x
mwaukiSystems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

giltjrCommented:
From a host on the 192.168.3.x subnet can you ping the IP address of the iSeries?

From the iSeries can you ping a host on the 192.168.3.x subnet?

Do you have a router between the two subnets?
0
Gary PattersonVP Technology / Senior Consultant Commented:
Short answer is "yes", of course.  Web servers communicate with client computers on other networks - even networks across the world from each other - every second of every day.

When two hosts on different networks need to communicate via IP, they each need to be able to find a route to each other.  Since they apparently reside on different subnets (I'm just assuming these are class C subnets, since you didn't tell us), you'll need some device serving as a router between these two networks, and the client and the host each need to know to forward traffic destined for the other network to that router.

So for example:

iSeries 192.168.150.99
-- Either needs a default route set to 192.168.150.99 (default gateway)
-- Or a static route configured for 192.168.3.x via 192.168.150.1

   Router1 Interface1 -192.168.50.1
   Router1 Interface2 - 192.168.3.1

Client 192.168.3.177
-- either needs a default route set to 192.168.3.1 (default gateway)
-- Or a static route configured for 192.168.150.x via 192.168.3.1

Sometimes the problem is as simple as one of the systems not having a default gateway configured.  When this is the case, the host can communicate with other hosts on the same subnet, but nothing else.

Suggest you post the following:

Blank out left two octets of any public addresses, but leave private addresses alone.

iSeries CFGTCP option 1
iSeries CFGTCP option 2

Same information from client - IP address, subnet mask, default gateway, static routes.

Also, determine if the default gateway on each system is pointing to the same router, or to different routers.  You may need some help from a network admin to make this determination if you aren't familiar with the network configuration.
0
mwaukiSystems EngineerAuthor Commented:
giltjr, yes, both subnets can ping each other no problem.  and yes, two routers between the two subnets. router1 with 3.x and router2 with 150x.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Gary PattersonVP Technology / Senior Consultant Commented:
Subnets don't ping anything. Hosts ping other hosts.  

The question is, can the client ping the server, and can the server ping the client?  If so, then both are configured properly to route traffic to each other, and your problem is elsewhere.  For example, perhaps there is a firewall that is blocking TCP port 8- between the two hosts.
0
mwaukiSystems EngineerAuthor Commented:
thanks Gary.  reading your entry made me realize I didn't put the whole detail in.
this is the details of what I have:

pc1@ router1 192.168.3.x, pc2@ 192.168.4.x  & iseries (server)@ router3 192.168.150.x with multiple NIC.

Pc1 & Pc2 are connected via vpn tunnel.   objective is to have pc1&pc2  access website on iSeries.

I didn't want to create a vpn between iseries and pc1 & pc2.   so what I did was, use one of the nics on the iseries to connect to router1 (192.168.3.x).  Now the iseries has two nics with two different subnets (192.168.3.x (nic2), 192.168.150.x (nic1).

given that iseries is now on 3.x, I am able to ping iseries from pc1 and viseversa.

given that both pc1, pc2 can ping the iseries and viseversa,  I tried to access the website on the iseries from both pc1 and pc2 but failed.  everytime I tried to access the website, I could see a banner in the status showing " accessing website on 192.168.150.x... then it failed.

keep in mind, when I'm on the 192.168.150.x subnet, the website comes up fine.

thank you.
0
Gary PattersonVP Technology / Senior Consultant Commented:
Ok.  That's a completely different matter.  Seems more complex than it has to be, too, but maybe you have a reason.

Sounds like you forgot to modify your web server configuration to run on the new 192.168.3.x address.  Are you running Apache?
0
mwaukiSystems EngineerAuthor Commented:
yes, running on Apache
0
mwaukiSystems EngineerAuthor Commented:
yes its setup that way for security reasons.  thanks
0
Gary PattersonVP Technology / Senior Consultant Commented:
And did you modify your Apache config to bind the 192.168.3.x interface?

http://www.moko.ru/doc/apache/bind.html
0
mwaukiSystems EngineerAuthor Commented:
thanks, Gary.   added the binding but now the site don't wanna come up.
0
giltjrCommented:
What version of Apache are you running?

I don't know where Apache stores its logs on iSeries, but what message are you seeing?
0
Gary PattersonVP Technology / Senior Consultant Commented:
Suggest you share your Apache config and, as giltjr requests, error log showing startup error.
0
mwaukiSystems EngineerAuthor Commented:
here is the config:


  1    #2014
  2    Listen *:3080
  3    Listen 192.168.3.x:3080
  4    DocumentRoot /www/xxx/htdocs
  5    TraceEnable Off
  6    Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
  7    LogFormat "%h %T %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  8    LogFormat "%{Cookie}n \"%r\" %t" cookie
  9    LogFormat "%{User-agent}i" agent
  10    LogFormat "%{Referer}i -> %U" referer
  11    LogFormat "%h %l %u %t \"%r\" %>s %b" common
  12    LogMaint logs/error_log 30 0
  13    AccessFileName .htaccess
  14    SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
  15    SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
  16    SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
  17    SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
  18    SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
  19    SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
  20    DirectoryIndex index.html
  21    <Directory />
  22         Order Deny,Allow
  23         Deny From all
  24    </Directory>
  25    <Directory /www/xxx/htdocs>
  26         Order Allow,Deny
  27         Allow From all
  28    </Directory>
  29    ServerUserID xxxWNR
  30    CGIConvMode %%EBCDIC/EBCDIC%%
  31    Alias /xxxx/ /xxxx/
  32    ScriptAliasMatch ^/xxxxx/(.*) /QSYS.LIB/TIMEINIT.LIB/$1.PGM
  33    AliasMatch ^/xxxx/(.*) /xxxx/$1
  34    Redirect 307 /webaccess http://192.168.150.x:3080/xxx/clw0001 
  35    Redirect 307 /employee http://192.168.150.x:3080/xxx/clw0041 
  36    <Directory /xxx/>
  37        Allow From All
  38    </Directory>
  39    <Directory /QSYS.LIB/TIMEINIT.LIB/>
  40        Allow From All
  41    </Directory>
0
giltjrCommented:
If you just have the two IP addresses on the iSeries since you have "Listen *:3080" you don't need "Listen 192.168.3.x:3080"

"Listen *:3080" tells Apache to listen on port 3080 on all/any IP addresses that this host has open.

"Listen 192.168.3.x:3080" tells Apache to listen on port 3080 on just IP address 192.168.3.x.  This would have been before, assuming that the iSeries only had one IP address.

If the iSeries has more that the two IP addresses you have mentioned here and you don't want Apache listening on them, then you need to code:

Listen 192.168.3.x:3080
Listen 192.168.150.x:3080

And remove the "Listen *:3080"

Also with the Redirect statements you have you do realize that when somebody access /webaccess or /employee they are going to be forced to go to the 192.168.150.x address.  Which means that you need to have the correct routing setup for all other IP subnets.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gary PattersonVP Technology / Senior Consultant Commented:
Sounds like there is intentionally no routing set up for unexplained "security reasons".  

If this was me, and I had security requirements, then I'd have the two networks separated by a firewall and I'd be using ACLs (and possibly NAT) to restrict access between the two networks.  That way I could just publish on the one original address and let everyone access it.

I don't understand the network or the security requirements well enough to recommend a proper network design, though.   If you'd like to explain your requirements in detail, I'd be happy to make some suggestions.
0
mwaukiSystems EngineerAuthor Commented:
thanks Gary and giltjr!  issue resolved...  additional listening port and routing path.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Mainframe OS

From novice to tech pro — start learning today.