UTM 9 cant reach servers in local net

Utm must have an IP Address in servers network 10.255.197.0

It is normal for UTM to route through ISP because Wan IP is default gateway

Thank you for answer!

"Utm must have an IP Address in servers network 10.255.197.0"

Added third interface in server subnet (10.255.197.250 255.255.255.0). No luck, still cant ping server.

astaro:/root # traceroute 10.255.197.108
traceroute to 10.255.197.108 (10.255.197.108), 30 hops max, 40 byte packets using UDP
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *

astaro:/root # ip route show table all | grep 197

10.255.197.0/24 dev eth2  proto kernel  scope link  src 10.255.197.250
broadcast 10.255.197.0 dev eth2  table local  proto kernel  scope link  src 10.255.197.250
local 10.255.197.250 dev eth2  table local  proto kernel  scope host  src 10.255.197.250
broadcast 10.255.197.255 dev eth2  table local  proto kernel  scope link  src 10.255.197.250

Added second interface on server side (10.255.200.12), in 10.255.200.8/29 subnet. Nothing changed.  I can see records in arp table but UTM still try reach 10.255.200.12 thrue outside interface...

Can you draw a simple picture of how your UTM now looks (which interfaces and which IP-addresses and subnetmasks) and where the server is connected.

You don't use VLAN's do you?

Thank you for answer!

Can you give another "ip route show table all"?

In your first post there was an overlap in 10.255.0.0/16 and 10.255.200.8/29. Maybe that has now resolved due to new interfaces have come into play.

Sure.

default via "ISP gateway" dev eth0  table 200  proto kernel onlink
local default dev lo  table 252  scope host
default via "ISP gateway" dev eth0  table default  proto kernel  metric 20 onlink
10.255.0.0/16 via 10.255.200.9 dev eth1  proto static  metric 5
10.255.197.0/24 dev eth2  proto kernel  scope link  src 10.255.197.250
10.255.200.8/29 dev eth1  proto kernel  scope link  src 10.255.200.10
"ISP network" dev eth0  proto kernel  scope link  src "UTM outside interface"
127.0.0.0/8 dev lo  scope link
broadcast 10.255.197.0 dev eth2  table local  proto kernel  scope link  src 10.255.197.250
local 10.255.197.250 dev eth2  table local  proto kernel  scope host  src 10.255.197.250
broadcast 10.255.197.255 dev eth2  table local  proto kernel  scope link  src 10.255.197.250
broadcast 10.255.200.8 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
local 10.255.200.10 dev eth1  table local  proto kernel  scope host  src 10.255.200.10
broadcast 10.255.200.15 dev eth1  table local  proto kernel  scope link  src 10.255.200.10
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101
local ::1 dev lo  table local  proto none  metric 0
unreachable default dev lo  table unspec  proto kernel  metric 4294967295  error -101

There's still overlap in 10.255.0.0/16 via 10.255.200.9 (I don't see 10.255.200.9 in your diagram, what is this IP?)

Overlap with 10.255.197.0/24 AND 10.255.200.8/29 (Both of these don't overlap each other but both are in 10.255.0.0/16).

Maybe you have a static route 10.255.0.0 / 255.255.0.0 configured and "forgot" about it? otherwise where/what is 10.255.22.9 in your diagram?

Could you also list the first 2 octets of your public interface (WAN) and it's corresponding subnetmask? 

10.255.200.9 it is another router, network 10.255.0.0/16  lies behinde it.

None of these routes not work for this server, i can send traffick from server thru UTM with these routes or ping UTM, but I cant ping server from UTM, because it send all traffic in to outside interface.

I'm not sure that it is because of the overlap in all those subnets, but this will definately make for some headache in trying to determine which host can (or cannot) communicate with which other hosts. I also think it's strange that UTM tries to go over the external interface, but what happens when you add another PC into the network?

Also now you have the server connected with 2 NIC's in 2 different subnets both connected to the same UTM, while this should work, it's really not necessary as the UTM is perfectly capable to route between those subnets.

What you could try is to add another host into the 10.255.200.8/29 network (if there is not one already) and see if that is

1) capable of pinging the server on 10.255.200.12
2a) capable of pinging the server on 10.255.197.108 (while this probably needs to travel the UTM, you need to make sure that under Network Protection -> ICMP you enable the traffic (ICMP traffic is handled there and not by firewall rules
2b) if pinging from 2a succeeds, do a traceroute from the same host to 10.255.197.108 to see how it routes there.

Can the server reach the internet?
Server will probably not be able to route to 10.255.0.0/16 network.