Hello. I am having two problems with internal web servers and VLANs.
Here is a description of the existing infrastructure:
Business cable modem with a block of static IPs. These IPs are for example only and are not my current set, just an ourdated set from an old block I was once assigned.
Kerio WAN interface is configured with these IP addresses.
LAN has 3 VLANS:
10.0.0.0 VLAN 1
10.20.30.0 VLAN 2
172.16.32.0 VLAN 3
Cisco SG-300 is in L3 mode and has IPs:
The two issues I am having:
1. Server-host on VLAN 1 uses 10.0.0.4 as the router, and its DHCP server is handing out 10.0.0.4 as the router to clients. This is working as expected for both the server and the clients.
Inside the VLAN 1 network I am running several web servers that each has a unique public IP. All servers assigned to the main 22.214.171.124 IP work normally, being reachable from inside the LAN, across VLANs and from the WAN. These servers run on port 80, 443 and 8443.
However the servers that are running on the other IP addresses are not reachable from the WAN, while they are reachable via the LAN and across VLANs.
For example a server on 126.96.36.199 is https://my-server1.mydomain.com:8443 works as expected, while server on 188.8.131.52 https://my-server2.mydomain.com:8443 is not reachable from the WAN, while it is reachable via the LAN and across VLANs. This isn't a DNS issue because accessing servers by IP produces the same result.
I have traffic rules:
Name - my-server1.mydomain.com.
Source - any.
Destination - 184.108.40.206 and my-server1.mydomain.com
Name - my-server2.mydomain.com.
Source - any.
Destination - 220.127.116.11 and my-server2.mydomain.com
This does not work.
I am at a loss for how to get these web servers working from the WAN. Any feedback will be appreciated!
2. Now the second issue:
The main server-host on VLAN2 10.20.30.0 has the IP of 10.20.30.2.
When I used 10.20.30.1 as the router I had WAN access but no access to services across VLANs. When I used 10.20.30.4 as the router the effect was the reverse.
So I created the static route 10.20.30.0 - 255.255.255.252 - 10.0.0.4 - Ethernet LAN. I then set 10.20.30.4 as the router. This premits the server at 10.20.30.2 to access internal and external resources.
However I configured the DHCP service on this server to issue 10.20.30.4 to clients on the VLAN 2 network. With this they can access internal resources across VLANs but not external resources on the WAN.
Similar to the server examples above, there is a Kerio Connect mail server running on this VLAN 2 with IP 10.20.30.10. It is reachable from the LAN & across VLANs, but not the WAN.
I have the traffic rules:
Name - Kerio Mail
Source - Internet Interfaces
Destination - Its Public IP
Services - DNS, HTTP, HTTPS, IMAP, IMAPS, Kerio Connect Web Admin, SMTP, SMTPS.
Name Kerio Mail Out
Source - 10.20.30.10
Destination - Any
Services - DNS, SMTP, SMTP Message Submission, SMTPS,
MAP - Public IP
Thank you for any suggestions that may or may not solve this!
[Updated on: Sun, 18 January 2015 21:12]
- ksnyder (KERIO)
Director, Sales Engineering | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Thank you. I had considered proxy servers, but isn't that intended for servers behind the same IP?
Anyway, today I had a breakthrough. However I have not yet been able to look at more closely at it yet.
I have been working through all this for over two weeks now. Been through my rules and switches with a fine tooth comb at least a dozen times.
Today Comcast Business had a service outage in the area that lasted 3-4 hours. I left the office to go and do work at client locations.
Well after Comcast restored service all of a sudden the server I could not access from the WAN was suddenly accessible!
When I return to the office later today I am going to have a closer look. The other servers I have moved into the DMZ so I'm going to move them back out of the DMZ and hopefully the issue is resolved. I hate having to resort to DMZ!
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of