In short yes...

IP works like this...
#1The destination IP address is compared with source IP and its network mask
in your case 172.17.26.48 and 255.255.255.0 and 10.10.10.25. #2 Since 10.10.10.x isn't the same as 172.17.26.x it sends the packet to it's
gateway at 172.17.26.y
#3 That gateway device sends it along its way to the 10.10.10.x network
#4 At the router that connects to the 10.10.10.x it looks up where 10.10.10.54 is
and send it directly to it (bypassing the 400)


Now your 1st config with both on 10.10.10.x
#1 It compares the source address 10.10.10.x with the source 10.10.10.x
#2 It matched and sends the packet directly to the 10.10.10.84 not going thru the 400 again.


The reason it worked when everything was on the 400, was the 400 had control of the both addresses
where it does it in the 2 other cases above.


Clear as mud?



Steve McKay wrote:

Kirk -

Thanks for your help.

Yes, the netmask for both is 255.255.255.0.  Since I am in a departmental IT
group, I have no control over the corporate network topology - IOW, I have
no ability or authority to change subnets or reassign default gateways.

We have another test system which is on a separate segment (IP addr
172.17.26.48). I tried using it as the front-end, pointed to 10.10.18.54
but got the same results. Is this due to your
statement -


If you decide to change the network address to 10.10.19.x then ALL devices
in the 10.10.18.x network must have their default gateways pointing to the
400 at 10.10.18.25.


????

Thanks,

Steve



<kirkg@xxxxxxxxxxxxx> wrote in message
news:OF5BCA95B8.F4798FC5-ON88256DFF.0051B683-88256DFF.00546D7B@xxxxxxxxxxxxxxxx


I think your problem is in the basics of how IP works. Without seeing the
netmask, I'm betting both of these IPs are most likely subnet,
255.255.255.0. If that is true, then no routing or filtering can take
place the way you want.

Think of it has everyone on 10.10.18.x being on a party line, everyone
here's everyone else. You tell George(10.10.18.25) to not let
John(10.10.18.54) hear or say something. For your filtering to work a few
things must happen. These must be thought out before you start actually
doing any of this since I don't anything about your network.

Logically you must seperate 10.10.18.25 and .54 on to seperate networks.

If the number of devices are small you could change the netmask to say
255.255.255.224. This would create  8 32 address networks
1-31, 32-63, 64-95 etc. If you need more than that then you will need to
change the subnet itself to say 10.10.19.x for the .54 address.

If you decide to change the network address to 10.10.19.x then ALL devices
in the 10.10.18.x network must have their default gateways pointing to the
400 at 10.10.18.25.

There is more to this than above but's it's the basics. The main thing is
the packets can't have a way around whatever is filtering. To get from .25
to .54 and get filtered, they must be on different networks.


_____________________ Kirk Goins CCNA Systems Engineer, Manage Inc. IBM Certified iSeries Solutions Expert IBM Certified iSeries e-Business Infrastructure IBM Certified Designing IBM e-business Solutions Office 503-353-1721 x106 Cell 503-577-9519 kirkg@xxxxxxxxxxxxx www.manageinc.com



"Steve McKay" <steve.mckay@xxxxxxxxxxxxxx>
Sent by: web400-bounces@xxxxxxxxxxxx
12/17/2003 06:19 AM
Please respond to
Web Enabling the AS400 / iSeries


<web400@xxxxxxxxxxxx>


To
web400@xxxxxxxxxxxx
cc

Subject
[WEB400] Re: IP filtering






Further information -


If 10.10.18.25 and 10.10.18.54 are both defined interfaces on a single
iSeries, the filter rules work fine.  Unfortunately, this is not what I
need
to do - I need to use one system as a "traffic cop" to redirect requests
to
a second system.

If 10.10.18.25 and 10.10.18.54 are on separate systems, the same filter
rules as above do not work.  I can only conclude that, when the IP filter
rules change the IP address in the packet, the packet does not get put
back
out on the network.

Can anyone confirm or deny this?

Thanks,

Steve
"Steve McKay" <steve.mckay@xxxxxxxxxxxxxx> wrote


in


message news:brdbpp$mr$1@xxxxxxxxxxxxxxxx


Greetings list!

I am attempting to forward HTTP requests from one iSeries Apache


webserver


to another on a private network (not VPN, just a non-Internet Ethernet
network).  I have created the following IP packet rules:

ADDRESS frontend IP = 10.10.18.25 TYPE = BORDER
ADDRESS backend IP = 10.10.18.54 TYPE = TRUSTED
HIDE backend:80 BEHIND frontend:80 TIMEOUT = 16 MAXCON = 512 JRN


=


OFF

When I activate the rules and point the browser to 10.10.18.25, I get a
"Cannot find server or DNS error" message but if I go directly to
10.10.18.54, I get the expected website.

Any ideas?



_______________________________________________
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.





_______________________________________________ This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/web400 or email: WEB400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/web400.


_______________________________________________ This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/web400 or email: WEB400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/web400.







_______________________________________________ This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/web400 or email: WEB400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/web400.




--
Kirk Goins CCNA
Systems Engineer, Manage Inc.
IBM Certified iSeries Solutions Expert
IBM Certified iSeries e-Business Infrastructure
IBM Certified Designing IBM e-business Solutions Office 503-353-1721 x106 Cell 503-577-9519
kirkg@xxxxxxxxxxxxx www.manageinc.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.