Forum Discussion
NimbostratusCannot ping external interface
MVPHello, a couple things here:
if you assign a VLAN to a Virtual Server, it will only accept traffic coming from that VLAN.
Given that you configured the VLAN as native (untagged) on a specific interface (let's say it's 1.1), this means that only traffic coming from interface 1.1 will be able to reach the virtual server IP address.
With default configuration, the VS virtual address will respond to icmp queries when the status of the VS is green (available).
F5 will use the MAC address of your EXTERNAL vlan whe responding to ARP requests for virtual address IP.
Then, you have the self IPs. They are the IP addresses that F5 uses to determine connected interfaces and for routing. They are also used for monitoring probes, and sometimes for NAT if you use automap option.
With default configuration, these IP addresses reject all packets. This is a standard security procedure, because you usually don't want your users (or other appliances on the network) to be able to connect to the BIG-IP unit on a traffic interface.
If you need to enable some protocols (let's say, BGP for routing , or ICMP if you need it, or all the HA services to set up a cluster) then you'll need to change the self-ip port lockdown behavior from "Allow None" to the option that suits you best. You can change it to "custom" and only allow things you want, or use any pre-configured profile (like "allow default" is commonly used for HA).
Check this -> https://my.f5.com/manage/s/article/K17333
peeryogOK, wow, its very obvious I don't know what I am doing.
I did check the lockdown, thanks for that advice, and set it to default. I see that it allows 443 through, not port 80 which is fine.
However, on the public facing side, it is working, but it is presenting the Big IP Management LogIn page, not the servers in the pool . How this is works I do not know as they are on their own VLAN which is ostensibly completely separate from the pool, any routing table and so on.
When I first got the devices I spent some time following a tutorial to set this up and it worked just fine. The only difference was the external network was connected to an internal LAN so that I could understand how this worked and work it did. The webserver are on their own DMZ VLAN and all worked as expected . I had not set up any self IPs . However as soon as I changed the IP of the virtual server to a different IP and network, I have not been able to get this to connect and it has been days of trying to determine what the BiGIP wants and I have probably completely messed up the configuration in attempting to get this to work
- CA_Valli
One thing is the self-ip address, one other thing is the virtual server.
Self-ip address belong to .. "self", which is F5 indeed, so if you connect to them you should expect F5 to respond with the F5 management interface! :)
"How this works" is tricky - as f5 keeps separate routing table for data plane and management plane. But essentially, allowing access to a self-ip is opening the management plane access through the network (again, there's a reason why it's locked down by default).
If you need F5 to act as a full-proxy (hey, that's his job!) and publish a web server, you need to set up a virtual server. All of the objects you need to do this are found in the "traffic management" menu. This includes your pool and all the other stuff.
Check my other comment to have a better understanding on what you need to connect F5 to the network, and once that is set up and ready, you can create services "on top" of the deployment you just set up.
Understanding how this works is part of the fun :) but feel free to ask if you still have any doubt
