Big IP as default Gateway

okay let me be more specific :

 

 

 

I need to preserve the source IP, I have found thread where you explained how to do this using either :

 

 

1)setting bigip as the default gateway

 

or through SNAT to different subnet which I couldn't understand so if you please explain how to preserve the source ip

If you want to preserve the client IP, you can define a virtual server with a type of forwarding IP, with a fastL4 profile. The destination for the virtual server should match what traffic you want to forward through the BIG-IP. To forward traffic destined for any IP address, select network with an IP and netmask of 0.0.0.0/0.0.0.0. If you wanted to only allow traffic to a specific subnet, you could configure that as well (example: 192.168.100.0/255.255.255.0). To ensure the source address is preserved, don't enable SNAT.

 

 

If you enable this virtual server on all VLANs, the BIG-IP will forward traffic from/to any host/network. You can restrict which clients can connect to this virtual server by enabling the VIP on specific VLANs. You can also use IP filters or an iRule to add more granular restrictions.

 

 

Aaron

You also need a route in the routing table for non-locally connected subnets.

 

 

Consider F5 vlans A & B

 

vlan A hosts should have route to bigip for vlan B hosts

 

vlan B hosts should have route to bigip for vlan A hosts

 

vlan A hosts & vlan B hosts should have a route to bigip for vlan C hosts

 

 

Assuming your 0.0.0.0/0 forwarding virtual is in place, the F5 will forward packets between these vlans because they are locally connected. However, since vlan C is not local to F5, F5 also needs a route to this location in order to forward packets from vlan A and vlan B hosts to that destination

Are you trying to ping the node using ICMP or open a TCP connection? If ICMP, you'd need to configure the virtual server for all protocols as opposed to TCP or UDP.

 

 

If you're not able to establish a TCP connection through the forwarding virtual server, you could try running a tcpdump on all interfaces and then initiate a TCP connection. Here's an example that would capture traffic on all interfaces (0.0) to/from any hosts on or from port 22:

 

 

tcpdump -n -i 0.0 tcp port 22

 

 

If you find that the requests and responses through the BIG-IP aren't symmetrical, you would need to enable loose initiation and loose close on the FastL4 profile to instruct BIG-IP to allow the packets through (Click here).

 

 

Aaron

will my structure is as folllowing:

 

 

3 vlans connected to the big ip A,B, and C

 

 

I have configured server in vlan A with big IP as it's default gateway

 

 

and I have configured vs on the big ip as forward IP with network (0.0.0.0/0) , also I have modified the fastl4 as described but still no connection from any of the threee vlans and heres what I get when I try to telent on the ip of my server on port 22

 

 

 

21:47:14.950435 802.1Q vlan4094 P0 192.168.110.1.ssh > 192.168.1.199.4187: R 0:0(0) ack 533685755 win 0

 

21:47:17.932674 802.1Q vlan4094 P0 192.168.110.1.ssh > 192.168.1.199.4187: R 0:0(0) ack 1 win 0

 

21:47:23.940767 802.1Q vlan4094 P0 192.168.110.1.ssh > 192.168.1.199.4187: R 0:0(0) ack 1 win 0

 

 

server ip:192.168.110

 

 

so any clue!

in the last post I discovered i was trying to access from non-direct connected vlan that's why ( I added route to that vlan ) now it's working

but i still has the same problem whenever I try to connect to one of the direct-connected vlan

and that what I got when I try to telnet from 192.168.110.1 (server with Bigip as its default GW)

to 192.168.3.102 (direct-connect vlan server)

22:29:57.131377 802.1Q vlan4094 P0 192.168.110.1.4422
 > 192.168.3.102.ftp: S 1469314934:1469314934(0) win 65535  (DF)
22:29:57.131396 802.1Q vlan4093 P0 192.168.110.1.4422
 > 192.168.3.102.ftp: S 1469314934:1469314934(0) win 65535  (DF)
22:29:59.992555 802.1Q vlan4094 P0 192.168.110.1.4422
 > 192.168.3.102.ftp: S 1469314934:1469314934(0) win 65535  (DF)
22:29:59.992561 802.1Q vlan4093 P0 192.168.110.1.4422
 > 192.168.3.102.ftp: S 1469314934:1469314934(0) win 65535  (DF)
22:30:06.007492 802.1Q vlan4094 P0 192.168.110.1.4422 
> 192.168.3.102.ftp: S 1469314934:1469314934(0) win 65535  (DF)
22:30:06.007499 802.1Q vlan4093 P0 192.168.110.1.4422 
> 192.168.3.102.ftp: S 1469314934:1469314934(0) win 65535  (DF)

It appears from your capture that the F5 is forwarding that traffic, and the server (192.168.3.102) is not responding. You note that vlan A devices have a default route to the bigip, but does the vlan with your ftp server? If not, Is there a route for 192.168.110.1 from 192.168.3.102? If not, you will need a host route on 192.168.3.102 pointed to the BigIP self IP that is on the 192.168.3.x network.

Without understanding your architecture, let me summarize the requirements:

 

 

1) Your 0.0.0.0/0 virtual forwarder applied to all vlans allows TMM to pass the traffic, IF there are routes to the destinations.

 

 

2) Any traffic between locally connected subnets will be permitted without any additional routes, IF the hosts on the vlans route the traffic to BigIP

 

 

3) Any traffic received by the BigIP for a remote subnet will require a route on the BigIP to the GW for that remote subnet

 

 

4) If translations are required for traffic to return, that must be considered either on the BigIP or on the GW in front of the BigIP

 

 

5) If the source, vip, & destination are all on the same subnet, you'll need to configure translation so the destination routes the traffic back through the BigIP before sending back to the source (for tcp traffic)

 

 

If you submit a drawing of your architecture with generic (false) IP's and vlans, I'm sure we'll get there.

any news on this topic? I am also need assistance on the "how-to".

 

 

Same scenario:

 

1 - I need to have the Servers use the BIG-IP as their Default Gateway.

 

2 - Servers are on 192.168.1.0/24 and is a local Interface of the BIG-IP (.1)

 

3 - I created a Inbound VServer Network 192.168.1.0/24

 

4 - BIG-IP Auto-Last-Hop technology works with no issues

 

5 - I created a Outbound VServer Network 0.0.0.0/0

 

6 - Issue: The BIG-IP already has a Default Gateway which goes the wrong way for the Servers (192.168.3.1)

 

7 - Since this is for connection innitated by the Servers, there is no Auto-Last-Hop for new connections.

 

8 - I need the servers traffic to go out the correct way (192.168.2.1)

 

So What I need is help created a I-Rule from communication coming from 192.168.1.0/24 to anyone and there is no Auto-last-hope use this Default gateway (192.168.2.1)

 

 

Does this look right?

 

 

when CLIENT_ACCEPTED {

 

set failed 0

 

if {[IP::addr [IP::client_addr] equals 192.168.1.0/24]}{

 

node 192.168.2.1

 

}

 

}

That should work. Are you using that variable (set failed 0)?

 

 

Just as an FYI, I prefer to define the gateway (along with the backup in the event my preferred gateway is down) in a pool and use the pool command instead of the node command. This allows you to monitor and select based on availability but also gives you connection counts not available with the node command.