BIG-IP in DMZ - Reverse traffic to public subnets clarification

Hi Vladimir,

So to sumup, you receive a request from outside.

• the client send a requestion from internet to public service.
• Your FW nat destination to VS (Internal IP) but le your source IP unchanged.
• F5 receive the client requestion on VS (Internal IP) then Forward the request to your pool memeber depending of your Load Balancing Method and persistance.
• F5 snat the source IP of the cliet and use IP of degress interface (self ip if standalone or floating IP if cluster).
• The pool memeber receive request and respond to F5 (because of snat). -The F5 make a response to the client using (Auto Last Hop), is a VS setting that set to default by default:

When enabled, Auto Last Hop allows the BIG-IP system to send return traffic from pools to the MAC address that transmitted the request, even if the routing table points to a different network or interface. As a result, the BIG-IP system can send return traffic to clients even when there is no matching route. For example, if the BIG-IP system does not have a default route configured and the client is located on a remote network. Additionally, Auto Last Hop is useful when the BIG-IP system is load balancing transparent devices that do not modify the source IP address of the packet. Without the last hop option enabled, the BIG-IP system can return connections to a different transparent node, resulting in asymmetric routing.

https://support.f5.com/csp/article/K13876

SO the response from F5 go back using the right path (the response to the client uses the arrival interface).

Hope it's clear, let me know if you need more details.

regards