F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

yammy1688_99834's avatar
yammy1688_99834
Icon for Nimbostratus rankNimbostratus
Feb 02, 2011

Dedicated firewall interfaces for each pool, LTM config?

I'm putting the LTM in an environment where we have dedicated firewall (FWSM) interfaces (along with corresponding ACLs) for each pool/farm and require that all traffic for a given farm flows through its respective firewall interface.

 

 

I've tried using VLAN groups and keeping the firewall interface and pool members in separate vlans but it just doesn't seem that reliable? I'm running into a situation right now whereby the modified (translucent) mac-address advertised by the ltm for a particular pool shows up on both the pool and firewall VLAN, preventing access to the servers directly. The virtual IP and self-IPs ping fine however. Any ideas on what could cause this?

 

 

 

 

 

I've resorted to keeping everything in the same VLAN and SNATing. However I'm wondering if it is possible to see the client IPs on the servers using this method?

 

 

 

Thanks,

 

 

 

-Ken

 

config
design

3 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 02, 2011
    Ahh... Too me a few times through the question to understand what you're trying to do. You're trying to run as a transparent (Bridge) device? Correct?

     

     

     

    I'm not even sure that's possible... (ALthough VLAN groups are a method of briodging two VLAN's, I've never had a great deal of luck. Mainly because broadcasts don't seem to be forwarded. Although that may have been th eversion I was using).

     

     

    Why don't you simply run it as a router and then it becomes a lot easier. I run mine with 3 main interfaces. 1 for VS's, 1 (Or more) for backend servers, and 1 for plain routing to/from backend servers. Each is a different subnet. Traffic to the VS's are routed via the VS VLAN. Traffic to servers is routed via the 'routing' VLAN. Traffic FROM servers either follows auto last-hop or if initiated there is a default network VS that sends it via the next-hop gateway on the 'routing' VLAN. You can firewall backends from each other by ensuring there's no network VS that forwards between server VLAN's (The default would be the FWSM SVI itself).

     

     

    H
  • rcheeks_75965's avatar
    rcheeks_75965
    Icon for Nimbostratus rankNimbostratus
    Feb 02, 2011
    You could use XFF so the end point servers can see the real client IP address.

     

     

    https://support.f5.com/kb/en-us/solutions/public/12000/200/sol12264.html?sr=12488278

     

     

    This data is also available via cli on the LTM:

     

    bigpipe conn show all | more

     

     

    HTH,

     

    Roger

     

  • yammy1688_99834's avatar
    yammy1688_99834
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2011
    Posted By rcheeks on 02/02/2011 04:02 PM

     

    You could use XFF so the end point servers can see the real client IP address.

     

     

    https://support.f5.com/kb/en-us/solutions/public/12000/200/sol12264.html?sr=12488278

     

     

    This data is also available via cli on the LTM:

     

    bigpipe conn show all | more

     

     

    HTH,

     

    Roger

     

     

    Hi Roger,

     

     

    We have a separate subnet per pool and each subnet has a dedicated firewall interface along with associated access-lists. Due to this I cannot use the LTM as the gateway without using some trickery like source based routing.

     

     

     

    I just went ahead with a one-armed config. Makes everything a lot simpler.