Forum Discussion
Nimbostratuscan't access on prem dns when using F5LTM as a gateway
The title is the tl/dr. I have a server on an internal network that is set up to use our F5 as a gateway. I have all of the forwarding vip's set up and routed through snat pools. and if i set the server to use an external dns like google or opendns everything seems to work perfectly. however the server is being set up as an smtp server and needs to rely on our on prem dns for some mail destinations. side note, if forwarding vip's are set for snat automap, on prem dns works fine.
i did watch traffic with tcpdump from the F5, on the internal network when using nslookup with both on prem and off prem dns servers, i could see traffic hit the outbound forwarding vip. however watching traffic on the external network, traffic appeared on the outbound forwarding vip's when using external dns servers. on prem seem to have died somewhere in the F5.
can i fix this by just adding another outbound vip set to snat outmap to manage dns traffic? is that an appropriate fix?
5 Replies
MillersvilleEriRunning tmsh list /sys management-route does not show our dns server in the results. just the gateway for the management network.
and yes the bigip has an interface with a self ip and floating ip on the vlan with the dns servers.
no, there is not a speciffic tmm route for the third vlan. at least i do not think so. here is an output of tmsh show /net route if that is helpful.- Injeyan_Kostas
Nacreous
ok so having an interface in DNS vlan will never work as forwarding without SNAT because of asymetric routing
your solution as mentioned before is to either use SNAT or create a Performance L4 VS matchning only DNS destination and use your ext vlan next hop as pool
You will also need to define * as port in the pool and also deselect Address and Port Translation on VS.
So you will actually create a Policy Based Routing to forward DNS traffic through your Ext vlan
- MillersvilleEri
Hell Injeyan_Kostas
Yes I am using the same internal dns on both the bigip and server. And, as i am not 100% sure what you mean by creating a management route for internal dns i or subnet. I'm going to guess that i have not.
our dns servers are on a different vlan seperate from our external, management, and server vlan's. however, the vlan with our dns servers is also a seperate internal network accessable by the bigip. But access to this vlan through the bigip is not necessary.- Injeyan_Kostas
check the output of this command
tmsh list /sys management-routeis your dns server IP included?
If yes, your forwarding VIP will forward DNS traffic through MGMT interface
"our dns servers is also a seperate internal network accessable by the bigip"
Does this means that BIGIP has an interface in this vlan?
Or there is a specific TMM route for thid vlan?
If any of the above is happening you will have to create a specific L4 VIP, matching only DNS destination and forward it to your TMM next hop or just use SNAT
Cause most probably you have asymetric routing issue
- Injeyan_Kostas
Hello MillersvilleEri
Might you are using same internal DNS as DNS of bigip itself?
And if yes might you have created mangement route for interal DNS IP or subnet?
