Re: Need TCP-IP guru advice - 2 networks, 1 firewall -- MIDRANGE-L

Tom,

Poorly drawn example. What it is supposed to represent is a ring (token ring) with a firewall participating as a part of the ring. It is hard to draw circles with straight lines. On the other side of the firewall is only a DSL modem and my ISP.

I have 2 rings, each with a card in the same AS/400.

Ring 1 has a network address of 172.24.***.*** with the AS/400 card being 172.24.1.1 and the firewall being 172.24.1.10. The PCs on the same ring have address in the range of 172.24.***.***. The PCs on that ring and the AS/400 have a default route (gateway?) of 172.24.1.10 to point to the firewall, and all of them (so far) can see the firewall and access the internet.

Ring 2 has a network address of 172.22.***.*** with the AS/400 Token Ring NIC having an address of 172.22.1.1, and the PCs having addresses of 172.22.***.***. My PC has an address of 172.22.20.4 (I believe). I some times get a response from the 172.24.1.1 address on the AS/400, but all other address on that network are not responding.

All PCs have Win 2K installed. AS/400 has V5R2 installed.

We recently went from 4 Token Ring NIC in the AS/400 cards to 2. Their addresses were 172.21.1.1, 172.22.1.1, 172.23.1.1, and 172.24.1.1. I believe the attempt was to reduce the length of cable the rings would have to travel, and spread traffic out over 4 connections. We have old wiring (pre-cat 3 twisted pair) in our building. We upgraded from a 720 to an 810 last fall, and from V4R5 to V5R1 to V5R2. A some point in all of these changes, I lost the ability to ping to a PC on a different network. It seems to me that passive routing using the AS/400 never worked extremely well, because transferring files from 1 PC to another between networks was slow, and sometimes lost connection in the middle of a transfer. We saved time by moving big files up to the IFS, then downloading them to the other PC.

So the short answer is, no, this physical network was not in place prior to V5. It's just that when I was helping with the configuration prior to V5, there were different prompts and ways to configure TCP-IP. I was confused before, and when IBM changes (I believe for the better?!) I get lost and have to start all over again. I am not a network person, just a 1 (& 1/2) man COBOL shop, and I have to wear a lot of hats.

I have not used traceroutes before,and so had no clue that it existed. How do I use it and what does it tell me?

Thanks for your response. It helps me get closer to understanding this beast! I still think that communications is 90% smoke and mirrors!!

Jim.

At 10:03 PM 5/23/2003 -0700, Tom wrote:

Jim:

I'm not totally clear about your diagram. It looks like you're showing PCs on both sides of your firewall. Does that mean you have _3_ subnets? I mean, sure, the firewall has two sides, but what's the third subnet set as?

Anyway, two other questions... Was the same physical network working fine before V5 on the AS/400? If upgrading OS/400 started the trouble, then you can probably ignore routes on your various PCs or the firewall. Those should all already be set. Maybe the firewall has changed, but start at the AS/400.

Now, have you tried traceroutes from various PCs to the points you want them to reach? Just see where it tells you that routes are actually leading. Go to PCs on each segment and traceroute to PCs on the other segments. Problem configuration points should be obvious.

Tom Liotta

midrange-l-request@xxxxxxxxxxxx wrote:

RE: Need TCP-IP guru advice - 2 networks, 1 firewall

I seem to remember at V4R5 that I was able to set data gram forwarding by line, and able to use the AS/400 as a passive router. I have lost that ability, though I don't know how or why.

Topology looks something like this:

----------------- | | | AS/400 | TR Card 1 (172.24.1.1) --> PC's --> Firewall (172.24.1.10) --> More PCs | | | | TR card 2 (172.22.1.1) -------> PC's (172.22.***.***) ------------------