Forum Discussion
Design / Traffic Flow Question
We have an Internal LTM which has a virtual server for a proxy server.
The Virtual server is 10.20.20.100 and it has a pool member which it forwards traffic to on 10.20.30.70.
The LTM source NATs traffic when it forwards it to the pool member.
The issue is that the proxy (10.20.30.70) is then configured to forward traffic to another LTM in our DMZ - 10.100.152.100. So when it does this it sends its traffic to its default gateway to reach the destination of 10.100.152.100.
So basically the Internal LTM forwards traffic to the proxy, but the return traffic does not flow back through the LTM because the proxy uses its default gateway (which is not the LTM) to reach the DMZ LTM.
So my question is, should we be configuring the proxy to use the Internal LTM as its default gateway to make sure all return traffic flows back through the LTM?
Or perhaps we could configured another VIP on the internal LTM (in the same subnet as the proxy) with the DMZ LTM as a pool member and configure the proxies to send traffic to that, instead of directly to the 10.100.152.100 address.
Or is it OK for return traffic to bypass the internal LTM?
- Hamish
Cirrocumulus
Ah... You either need to have the proxy use the LTM that's LB'ing it as the default gateway OR use SNAT on that VS... (Ignoring n-path) - Luca_55898
Nimbostratus
We do use SNAT - this NATs the source to the egress interface on the LTM.The issue is that when the proxy gets the traffic it will forward to a new destination IP.
So even though the LTM SNATs using its floating IP, the Proxy forwards to a new IP, outside of the subnet and hence bypasses the LTM due to the default gateway not being the LTM.
If the proxies use the LTM as their default gateway the LTM would need to have some more routing smarts that is currently configured on our one.
- hoolio
Cirrostratus
The issue is that when the proxy gets the traffic it will forward to a new destination IP. - Luca_55898
Nimbostratus
Yes, when traffic gets to the proxy the source IP will be the LTM. I can confirm this with TCP Dumps - hoolio
Cirrostratus
So shouldn't the server respond back to the Proxy and the Proxy reply back to LTM? - Luca_55898
Nimbostratus
Will the LTM SNAT the return traffic? - Hamish
Cirrocumulus
On a given connection... Think of the LTM as just another proxy. So the connection from client to LTM is always a pair of IP addresses. The connection to LTM to 'proxy' is a second connection.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com