Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » VLAN & Web Server Issues
  •  
gskibum

Messages: 32
Karma: 1
Send a private message to this user
Hello. I am having two problems with internal web servers and VLANs.

Here is a description of the existing infrastructure:

Business cable modem with a block of static IPs. These IPs are for example only and are not my current set, just an ourdated set from an old block I was once assigned.
23.31.118.113
23.31.118.114
23.31.118.115
23.31.118.116
23.31.118.117
etc...
Kerio WAN interface is configured with these IP addresses.

LAN has 3 VLANS:
10.0.0.0 VLAN 1
10.20.30.0 VLAN 2
172.16.32.0 VLAN 3

Cisco SG-300 is in L3 mode and has IPs:
10.0.0.4
10.20.30.4
172.16.32.4

The two issues I am having:

1. Server-host on VLAN 1 uses 10.0.0.4 as the router, and its DHCP server is handing out 10.0.0.4 as the router to clients. This is working as expected for both the server and the clients.

Inside the VLAN 1 network I am running several web servers that each has a unique public IP. All servers assigned to the main 23.31.118.113 IP work normally, being reachable from inside the LAN, across VLANs and from the WAN. These servers run on port 80, 443 and 8443.

However the servers that are running on the other IP addresses are not reachable from the WAN, while they are reachable via the LAN and across VLANs.

For example a server on 23.31.118.113 is https://my-server1.mydomain.com:8443 works as expected, while server on 23.31.118.114 https://my-server2.mydomain.com:8443 is not reachable from the WAN, while it is reachable via the LAN and across VLANs. This isn't a DNS issue because accessing servers by IP produces the same result.

I have traffic rules:

Name - my-server1.mydomain.com.
Source - any.
Destination - 23.31.118.113 and my-server1.mydomain.com
Service 8443
IPV4
Allow
MAP 10.0.0.37
This works.

Name - my-server2.mydomain.com.
Source - any.
Destination - 23.31.118.114 and my-server2.mydomain.com
Service 8443
IPV4
Allow
MAP 10.0.0.190
This does not work.

I am at a loss for how to get these web servers working from the WAN. Any feedback will be appreciated!

2. Now the second issue:

The main server-host on VLAN2 10.20.30.0 has the IP of 10.20.30.2.

When I used 10.20.30.1 as the router I had WAN access but no access to services across VLANs. When I used 10.20.30.4 as the router the effect was the reverse.

So I created the static route 10.20.30.0 - 255.255.255.252 - 10.0.0.4 - Ethernet LAN. I then set 10.20.30.4 as the router. This premits the server at 10.20.30.2 to access internal and external resources.

However I configured the DHCP service on this server to issue 10.20.30.4 to clients on the VLAN 2 network. With this they can access internal resources across VLANs but not external resources on the WAN.

Similar to the server examples above, there is a Kerio Connect mail server running on this VLAN 2 with IP 10.20.30.10. It is reachable from the LAN & across VLANs, but not the WAN.

I have the traffic rules:

Name - Kerio Mail
Source - Internet Interfaces
Destination - Its Public IP
Services - DNS, HTTP, HTTPS, IMAP, IMAPS, Kerio Connect Web Admin, SMTP, SMTPS.
IPV4
Allow
MAP 10.20.30.10

Name Kerio Mail Out
Source - 10.20.30.10
Destination - Any
Services - DNS, SMTP, SMTP Message Submission, SMTPS,
Allow
MAP - Public IP

Thank you for any suggestions that may or may not solve this!

[Updated on: Sun, 18 January 2015 21:12]

  •  
gskibum

Messages: 32
Karma: 1
Send a private message to this user
Thank you. I had considered proxy servers, but isn't that intended for servers behind the same IP?

Anyway, today I had a breakthrough. However I have not yet been able to look at more closely at it yet.

I have been working through all this for over two weeks now. Been through my rules and switches with a fine tooth comb at least a dozen times.

Today Comcast Business had a service outage in the area that lasted 3-4 hours. I left the office to go and do work at client locations.

Well after Comcast restored service all of a sudden the server I could not access from the WAN was suddenly accessible!

When I return to the office later today I am going to have a closer look. The other servers I have moved into the DMZ so I'm going to move them back out of the DMZ and hopefully the issue is resolved. I hate having to resort to DMZ! Wink
Previous Topic: detailed report about vpn-tunnel traffic
Next Topic: hostname changing under apliance
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Feb 28 08:47:22 CET 2017

Total time taken to generate the page: 0.00986 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.