Hello. I am having two problems with internal web servers and VLANs.
Here is a description of the existing infrastructure:
Business cable modem with a block of static IPs. These IPs are for example only and are not my current set, just an ourdated set from an old block I was once assigned.
Kerio WAN interface is configured with these IP addresses.
LAN has 3 VLANS:
10.0.0.0 VLAN 1
10.20.30.0 VLAN 2
172.16.32.0 VLAN 3
Cisco SG-300 is in L3 mode and has IPs:
The two issues I am having:
1. Server-host on VLAN 1 uses 10.0.0.4 as the router, and its DHCP server is handing out 10.0.0.4 as the router to clients. This is working as expected for both the server and the clients.
Inside the VLAN 1 network I am running several web servers that each has a unique public IP. All servers assigned to the main 18.104.22.168 IP work normally, being reachable from inside the LAN, across VLANs and from the WAN. These servers run on port 80, 443 and 8443.
However the servers that are running on the other IP addresses are not reachable from the WAN, while they are reachable via the LAN and across VLANs.
Destination - 22.214.171.124 and my-server1.mydomain.com
Name - my-server2.mydomain.com.
Source - any.
Destination - 126.96.36.199 and my-server1.mydomain.com
This does not work.
I am at a loss for how to get these web servers working from the WAN. Any feedback will be appreciated!
2. Now the second issue:
The main server-host on VLAN2 10.20.30.0 has the IP of 10.20.30.2.
When I used 10.20.30.1 as the router I had WAN access but no access to services across VLANs. When I used 10.20.30.4 as the router the effect was the reverse.
So I created the static route 10.20.30.0 - 255.255.255.252 - 10.0.0.4 - Ethernet LAN. I then set 10.20.30.4 as the router. This premits the server at 10.20.30.2 to access internal and external resources.
However I configured the DHCP service on this server to issue 10.20.30.4 to clients on the VLAN 2 network. With this they can access internal resources across VLANs but not external resources on the WAN. So the server at 10.20.30.2 works properly with 10.20.30.4 as the router, but clients do not.
Similar to the server examples above, there is a Kerio Connect mail server running on this VLAN 2 with IP 10.20.30.10. It is reachable from the LAN & across VLANs, but not the WAN.
Item 1 - While I'm not sure about the Kerio device (probably there is a forum for that tho). I would suggest, verify all the pieces.
-Are the default gateways on the servers pointing to the Kerio device?
-Do the IP addresses work inbound if you move the wan port of the kerio to the address you are trying to connect? If not check the routing and subnetting from your cable provider.
-verify with Kerio support that your one to one nat statements are correct.
- I have seen arp entries get stuck in on to one nat configs. You might reboot the kerio and the upstream cable router, to clear their arp tables.
Just a quick Glance I see the dns name for this server seems incorrect. It has the same dns as the other IP. That may just be a typo, but please verify.
Name - my-server2.mydomain.com. Source - any.Destination - 188.8.131.52 and my-server1.mydomain.com
when you are putting a router behind another router (sg300 behind the kerio firewall) there are a few configuration items that are needed to make it work.
Best practice is to have a single router (or VRRP pair) leading off each subnet. This prevents asymmetric routing, and session aware firewalls only seeing one side of a session and dropping it.
The easiest way to do this is to set a separate network segment for the link between the l3 switch and the firewall, that way there are no clients at all connected directly to the firewall segment.
1- The SG300 needs to have a default gateway pointing towards the internet.
2- The clients, servers, nas, appliances, etc need to have a default gateway pointing to the same local router. (either the Switch if it is doing local routing, or the firewall BUT NOT SOME TO BOTH)
3 - the firewall (kerio) needs to have routes pointing to the networks that are behind the switch. This will allow the return traffic from the internet to make it back to the clients and servers.
4,5,6 - the firewall may also need: Nat statements (Cisco ASA), Multiple subnets added to the local trusted network zone (rv0xx and ISA ), access rules allowing traffic outbound, and possibly other configuration items.
Sx550X, Sx350X, Sx250: PSE will Supply Power to Catalyst PSE Ports
May 31, 2016
June 5, 2017
Configure Remote Network Monitoring (RMON) Events Control Settings on a Switch through the Command Line Interface (CLI)
Remote Network Monitoring (RMON) was developed by the Internet Engineering Task Force (IETF) to support...