Solved How was the user's original problem resolved?

March 26, 2018 at 14:20:04
Specs: Windows 10 and Linux
How was the user's original problem resolved?

I have the same problem in March 2018 and would benefit greatly from concrete answers and /or recommendations to the other user's issue (same as mine)


See More: How was the users original problem resolved?

Report •

✔ Best Answer
March 27, 2018 at 06:45:32
I have to ask you here and now, why are you putting this web site behind two firewalls? This makes no sense. Applying the KISS principle, your web site should be either in a DMZ, or in subnet 1. If in subnet one, all you have to do is create as single port forward on port 80. If you put it behind a second router then you need a port forward on both routers. On router 1 the forward points port 80 to the WAN IP of router 2. On router 2, it would then point to the IP of the web server.

The extra complexity just makes everything more difficult to configure, manage, maintain and troubleshoot.

Most SOHO routers come with a DMZ capability. I would enable that, put the web site in the DMZ, forget about subnet 2 and router 2

Note: Prior to restructuring the setup as two (2) subnets, everthing worked reasonably well as a solitary network

Exactly my point about keeping it simple. It worked until you made it more complex, now it doesn't work.

It can be done..........but the main question is, "Is it necessary" If you have a good reason for burying your web site 2 hops away from your external interface it can be done. But putting it in the DMZ means no hops and fully accessible from external as well as internal.

From what I'm seeing your issue is a layer 3 issue. You don't have a static route on router 2 going from subnet 1 to subnet 2. Once you create one, then devices in subnet 1 should be able to talk to devices in subnet 2. But again, I can't stress enough the fact that this is completely over complicating a fairly simple setup.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***



#1
March 26, 2018 at 14:22:17
Are we supposed to guess what issue you're referring to?

Report •

#2
March 26, 2018 at 14:22:49
This is the other user's original problem (please excuse me for re-printing it here...)

Hello All,

My new employer has asked me to determine any issues that could be causing performance issues our LAN. The network has two subnets and one of the first things that I noticed is that I cannot ping computers on subnet A from subnet B. I've looked into this and found a few things.

-I CANNOT traceroute to computers on subnet B from subnet A

-I CAN NMAP to computers on subnet B from subnet A

-Computers on subnet A CAN ping other computers on subnet A and computers on subnet B CAN ping other computers on subnet B

-Computers on subnet A CAN ping and access servers on subnet B

I am relatively new to networking and not exactly sure where to start investigating this problem. Any help would be greatly appreciated. Thank you!


Report •

#3
March 26, 2018 at 14:23:45
No Sir..my mistake. I just jumped the gun

Report •

Related Solutions

#4
March 26, 2018 at 14:30:12
Do you have the link to the original post here - where you saw the problem discussed?

If so copy and past that link here.


Report •

#5
March 26, 2018 at 14:41:52

Report •

#6
March 26, 2018 at 18:56:49
Thank you all so far. Now here is my specific situation.

I have two (2) sub-nets and these are the characteristics

SUBNET 1:
=========
A separate Netgear Router
IP range: 192.168.0.0-255
Cable Modem attached for Spectrum/Brighthouse Internet access
A Windows10 PC with static IP assigned (192.168.0.2)
For my Apache and DNS servers, a Fixed External IP with these parameters:. The External IP is 50.x.x.x, and DNS IPs are 75.x.x.x, 75.y.y.y

SUBNET 2:
=========
A separate Netgear Router
IP range: 10.21.31.0-255
A PC running the Debian OS ver 9+.
The DNS server and Apache web server are installed and configured here

Connection between subnets 1 and 2
==================================
A physical cat5 cable which is attached to the WAN port of subnet 2 and a LAN port on subnet 1

What Works
==========
1. Computer attached to Subnet 2 (ip=10.21.31.5) can access the Demo website locally by typing 10.21.31.5 into any browser; not by domain name as yet.
2. I can ping 192.168.0.1 from Subnet 2. 192.168.0.1 is the network IP for Subnet 1.
3. I can also ping 192.168.0.154... This is the ip address that has been assigned as the connecting glue for subnet 1 and subnet 2. I can ping this ip from the subnet 2 windows pc, 10.21.31.3, and from the Linux server, 10.21.31.5

What is not working
===================

1. Subnet 1 (192.168.0.x) totally cannot ping subnet 2 (10.21.31.0-255) or any of its attached computers
2. I cannot access the Demo website on the subnet 2 Linux server from subnet 1 (192.168.etc.etc)

I have a basic IP table in place and I will provide its content if it is needed

What I must accomplish
=========================
1. To access the Demo webpage from subnet 1 (192.168.0.2). It is already accessible from subnet 2 where it is located.
2. Most importantly (and ultimately), I want to be able to access the webpage from the internet.


Note: Prior to restructuring the setup as two (2) subnets, everthing worked reasonably well as a solitary network.

Your assistance will be greatly appreciated. All additional info will be provided as requested. There is some redundancy here but I am striving for clarity.
Thanks


Report •

#7
March 27, 2018 at 06:45:32
✔ Best Answer
I have to ask you here and now, why are you putting this web site behind two firewalls? This makes no sense. Applying the KISS principle, your web site should be either in a DMZ, or in subnet 1. If in subnet one, all you have to do is create as single port forward on port 80. If you put it behind a second router then you need a port forward on both routers. On router 1 the forward points port 80 to the WAN IP of router 2. On router 2, it would then point to the IP of the web server.

The extra complexity just makes everything more difficult to configure, manage, maintain and troubleshoot.

Most SOHO routers come with a DMZ capability. I would enable that, put the web site in the DMZ, forget about subnet 2 and router 2

Note: Prior to restructuring the setup as two (2) subnets, everthing worked reasonably well as a solitary network

Exactly my point about keeping it simple. It worked until you made it more complex, now it doesn't work.

It can be done..........but the main question is, "Is it necessary" If you have a good reason for burying your web site 2 hops away from your external interface it can be done. But putting it in the DMZ means no hops and fully accessible from external as well as internal.

From what I'm seeing your issue is a layer 3 issue. You don't have a static route on router 2 going from subnet 1 to subnet 2. Once you create one, then devices in subnet 1 should be able to talk to devices in subnet 2. But again, I can't stress enough the fact that this is completely over complicating a fairly simple setup.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#8
March 27, 2018 at 07:21:16
Thank you, Curtis, for the clarification and suggestions. The reasoning behind the unintentional complicated structure is because I ultimately want to install OpenVPN and to bury it as deep as possible without nullifying its functionality. I guess I incorrectly assumed that the subnet route was the best approach. My thinking habit is that simple solutions are usually very porous, allowing for easy infiltration from troublemakers and secondly, it stops the learning process. I should admit that I am learning this stuff "on-the-fly". What I learned, however, is that 8 weeks of relentless hair-pulling is 8-weeks that I could have been playing with the grand kids. Your response is a good one, so now, it is back to the planning board or restructuring board. Thanks.

Report •

#9
March 27, 2018 at 14:38:38
LOL - I hear you! Sometimes we learn best when we break something or try to do something complicated. Lord knows, I've learned a lot by breaking things!

Sometimes the simplest solutions are also the safest. Or more typically, the easiest to harden and make safer. Check into the DMZ idea. It may provide the security you desire while keeping it simple for you to configure and administer.

VPN's, good ones anyway, provide their own security measure to prevent intrusion and just in general, being hacked. I've never worked wtih OpenVPN (we use Juniper here at my workplace) but if it's good, then you don't need it buried deep. Anywhere behind your first firewall (router) is going to be as safe as behind 10 or 20 or more. It's just if you put it behind your first firewall, it's a lot simpler than if you bury it deep behind several firewalls.

Go spend some time with your grandkids (wish I could spend more time with mine but I'm in Canada and they're all in the US) and relax and unwind and come back and have another kick at it when you're heads clear and you're relaxed! If I've helped, and I hope that I have, it's been my pleasure!

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#10
March 27, 2018 at 15:11:42
Great advice! Thanks for your time and your excellent counsel.

Now - I will go and prepare for our house-guests who are expected to arrive here in Florida on Friday afternoon. I will let you know how things turn out when I return to the project in earnest at the conclusion of their 7-days of Florida Sunshine. Take care!


Report •

#11
March 27, 2018 at 15:25:09
You still get sunshine in Florida? I thought it was all hucciranes, high humidity and thunder bumpers nowadays...

Report •

Ask Question