Forum Discussion

Hamza2's avatar
Hamza2
Icon for Nimbostratus rankNimbostratus
May 26, 2024

check add route default in f5 with mode ip forward node server to internet behind ltm f5

hello everyone,

I was a question for the IP forward mode , the config in the capture Bellow with snat:

my test scenario like this:

server node : 172.16.10.47

self externe: 192.168.25.10

self interne : 172.16.10.200

This scenario does not work for internet ping test from the node server 172.16.10.47 to the internet but without a default route to the checkpoint interface gateway 192.168.25.254 , Could you please confirm that adding the route default to the checkpoint interface gateway 192.168.25.254 Is correct for my action and that the test is working.

 

 

 

  • Hello Hamza, keep in mind that F5 is a default-deny device so anything that doesn't strictly match your forwarders will be denied. 

    One issue i see with your configuration is that this routing VIP is configured to listen on all VLANs. This means that "inbound" traffic will be nat-ed with the same IP as well. I believe this isn't intended, so you might consider tuning the "vlan and tunnel traffic" config and restricting it only to the internal 172.16.10.x VLAN, and/or any other VLAN that requires outbound connectivity. 

    Other than that, of course you're going to need to configure a default route on the unit, so that F5 knows where to forward all traffic that isn't intended for local networks. 

    • Hamza2's avatar
      Hamza2
      Icon for Nimbostratus rankNimbostratus

      thank you for your reply, I will modify the internal vlan for the policy forward