Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » PLEASE HELP
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
Im totally crazy i cant figure out why Control is so stupid.

Before 2 weeks i reinstall server now i need again (same problem)... Its mixing networks all the time...

Main address is 192.168.0.0 but i see in filter that clients trying to go trough 172.16.0.0 (primary internet (on same switch)) ONLY help if i unplug that cable.

What is going on??
Can anyone help? How to stop that Control is doing this mix?

Question cannot be stupid, but some of the answers can.
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
Goran. Same switch? No VLAN?
Then you have a problem. That isn't Control, but your switch.
Never mix IP ranges on one switch without VLAN.

[Updated on: Sun, 28 October 2012 14:06]


ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
Switch routing wrong?!
Unfortunately i cant separate it. Or i can but i don't know how....
Suggestions...

  • Attachment: Nettwork.png
    (Size: 26.58KB, Downloaded 244 times)

Question cannot be stupid, but some of the answers can.
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
I forget to say its a problem:
Server2::Internet2
if i disable Internet2 in administration MIX started (FUNNY)
If no internet access on Server2::Internet2 (WLAN broke) MIX started
Only if unplug cable from Server2::Internet2 Then no MIX.

It was working 2 weeks then this started.

Subnets on all Internet Interface and Home2 are 255.255.255.252

[Updated on: Sun, 28 October 2012 15:23]


Question cannot be stupid, but some of the answers can.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Server 1/2 = Control?

If so, you appear to have induced the potential for routing loops. You are load balancing links that exist between the two. This could lead to randomly odd behavior, depending on a variety of conditions.

I'd also have to support ICT's recommendation to make sure you are using VLANs to break up the IP domains into VLANs across your switches.

Also, your drawing seems to suggest there are two DHCP servers. Is this true?
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
Yes both Control.
No, there is no possible to make loop because of rules, and there is NO LOOPs!!
No i don't use any Virtual LAN, and i don't see point of... All NIC are real.
Yes there are 2 DHCP server's different range and reservations how they should be.

Question cannot be stupid, but some of the answers can.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
One other thing to look at is the client and its routing table. You will also need to consult Control's routing table. There is a possibility that Control is issuing an ICMP Redirect.

If you have insured that there are no routing loops, then the only possibility is the client is making the decision or Control is redirecting them.

Please keep in mind, these are all guesses. Without seeing your specific configurations, it is very difficult to diagnose this problem. This is actually a fairly complex configuration requiring very good network controls (No VLANs, multiple IP ranges, routing across the switches, multiple DHCP servers, etc.) It does sound like you've taken the proper precautions, but that just makes it harder to suggest possibilities.

Is Control running on Windows or Linux? Are there any routing protocols running those servers? If there are no other routing protocols, Control should behave like any other static router. Packets should flow very predictably.

I hope these responses help. I wish you luck.



  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
Hello Silars,
Yeah well... There is a problem...
Its appliance (Linux)! There is also NIC driver problems.(but i change all NIC)
On windows everything work perfect (tested).
I will not be so mad that configuration on appliance didn't work for 2 weeks.
But for me problems on appliance just repeating...

Thanks for help Silars,
Maybe advice how to make it better to avid problems?
No im not able to connect 2 different WLAN between offices.

[Updated on: Mon, 29 October 2012 01:05]


Question cannot be stupid, but some of the answers can.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Based on your requirements, I'm not sure there is a better way to configure it. I do like to separate traffic by broadcast domains. But, there is no real requirement to do that. I'm just obsessive-compulsive like that. I just like to put things in its own container.

I don't see any reason why your situation can't work.

I also use the appliance. I run using ESXi 5.1. I have 6 VMs (1 being Control) utilizing 3 vSwitchs. I use 2 Broadcom 5720 based NICs and one Broadcom 5721 NIC. I haven't seen any odd behavior, but my network isn't quite as complicated as yours. I only have one Control appliance, too.

Since you are virtualized as well, that just adds another layer of complexity. This is no easy task.
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
@Goran,

Based on your layout I have some remarks.
VLAN is needed on the switches otherwise traffic will collied.
If it is physical or not, it don't care.
The switch aren't that smart on physical level. This is be done on VLAN level.
You are putting three IP ranges on every switch without Vlan.
Even worse three different classes. This is really asking for trouble.
And yes, it seems to be working for a periode. But at a certian time they will collied.

You must use VLAN on the switches if they support this.
Otherwise you must use seperate hardware switches.
I understand that your WLAN is also the interconnection between the two switch, right.
If so you need VLAN supported switches and your wlan devices must also support WLAN.
Or multiple SSID (with separate IP support)

Your network isn't that difficult, only not well thought.
I had one friend how done exactly them same with his network. Put Internet traffic and LAN accross the same switch. Preformance drops and lot of collisions. He separated the traffic by hardware and problems solved. He hadn't a VLAN switch. Just bought a 5 port switch (cheap solution)

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
@silars
I using realtek NIC.
Thanks for info.

@ICT and Me
Thanks,
my switches not support VLAN... I can buy it of course.
my next question is:
Is it possible to create VLAN in switch that office 1 and 2 can have file sharing?
So how i think:
Server1 switch:
Home1 to Office1
Home2 to WLAN
Office1 to WLAN
WLAN to Internet2

Server2 switch:
Home1 to Office2
Home2 to WLAN
Internet2 to WLAN
Office2 to WLAN

Is that possible? and did i get something with that?
Also i using DWL-2100ap and they support multiple SSID but they have only 1 LAN connector, so again i cant separate it.

But still im not sure if there is problem in switches, because when i disable network (internet2) in Control in filter i still can see that packet get blocked from Internet2 at Server2 from Office2. As i say only unplug cable stop packed going from that interface. Why is that?

[Updated on: Mon, 29 October 2012 12:02]


Question cannot be stupid, but some of the answers can.
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
Ok just to add.
I get one cisco 3550 switch work perfect.
He has TRUNK.
I will get another cisco if anyone can answer me.
Will TRUNK VLAN goes trough WLAN? or they will get lost, does other "switches" translate TRUNK or get lost.
I try with cisco simulation "Cisco Packet Tracer" and TRUNK vlan work only if is direct connected. Can anyone say me will VLAN get trough WLAN?

[Updated on: Sun, 04 November 2012 01:44]


Question cannot be stupid, but some of the answers can.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
VLAN information (802.1Q) can be transmitted over the 802.11 protocols. However, this is device specific. Not all 802.11 devices must carry VLAN. You will need to verify that your wireless links can support 802.1Q.

I don't mind helping if you can tell us what you are using for Wi-fi.

You can also cheat if your Wi-fi device supports SSID to VLAN mapping.
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
Thanks for answer silars.
I using d-link DWL 2100ap
This AccessPoint don't have VLAN.. But i read that is supporting 802.1Q in AP mode, not sure for WDS(Bridge) mode.
My WLAN network look like on picture. (its little complicated)

I think i just need test it... Otherwise i will newer know.

  • Attachment: WlANconn.png
    (Size: 14.22KB, Downloaded 277 times)

Question cannot be stupid, but some of the answers can.
silars

Messages: 429
Karma: 59
Send a private message to this user
Quick look on the DWL-2100AP...

It doesn't appear to support VLANs across a single SSID. You will need to use multiple SSIDs. You then map each SSID to a VLAN. That might change for briding modes.

Can't hurt to try VLANs across a single SSID though. It might work.
Previous Topic: All on one switch
Next Topic: Troubleshoot possible leakage
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Aug 21 12:02:08 CEST 2017

Total time taken to generate the page: 0.00537 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.