Forum Discussion

Luca_55898's avatar
Icon for Nimbostratus rankNimbostratus
Sep 29, 2011

Design / Traffic Flow Question


We have an Internal LTM which has a virtual server for a proxy server.


The Virtual server is and it has a pool member which it forwards traffic to on




The LTM source NATs traffic when it forwards it to the pool member.




The issue is that the proxy ( is then configured to forward traffic to another LTM in our DMZ - So when it does this it sends its traffic to its default gateway to reach the destination of




So basically the Internal LTM forwards traffic to the proxy, but the return traffic does not flow back through the LTM because the proxy uses its default gateway (which is not the LTM) to reach the DMZ LTM.




So my question is, should we be configuring the proxy to use the Internal LTM as its default gateway to make sure all return traffic flows back through the LTM?




Or perhaps we could configured another VIP on the internal LTM (in the same subnet as the proxy) with the DMZ LTM as a pool member and configure the proxies to send traffic to that, instead of directly to the address.




Or is it OK for return traffic to bypass the internal LTM?


7 Replies

  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    Ah... You either need to have the proxy use the LTM that's LB'ing it as the default gateway OR use SNAT on that VS... (Ignoring n-path)



    Which is better? Well... I dislike SNAT. But mainly for debugging reasons. Sometimes you have no choice. But I try to plan for never needing it.



  • We do use SNAT - this NATs the source to the egress interface on the LTM.

    The issue is that when the proxy gets the traffic it will forward to a new destination IP.




    So even though the LTM SNATs using its floating IP, the Proxy forwards to a new IP, outside of the subnet and hence bypasses the LTM due to the default gateway not being the LTM.




    If the proxies use the LTM as their default gateway the LTM would need to have some more routing smarts that is currently configured on our one.
















  • The issue is that when the proxy gets the traffic it will forward to a new destination IP.



    But the source IP should either be the proxy if it does source address translation or the LTM SNAT IP. Either way, shouldn't LTM get the response? Is it possible that the reply does come back to LTM, but on a different VLAN or something like that?



  • Yes, when traffic gets to the proxy the source IP will be the LTM. I can confirm this with TCP Dumps


    However, from my firewall logs i see that when traffic is forwarded to the DMZ LTM - ( the source IP is that of the Proxy. I would of thought that the source IP would be the F5.



  • So shouldn't the server respond back to the Proxy and the Proxy reply back to LTM?



  • Will the LTM SNAT the return traffic?


    So traffic comes from client to VIP - VIP forwards to proxy and does SNAT - proxy sends traffic to new DMZ LTM back through internal LTM - LTM routes to DMZ proxy.



    So at that last point when the traffic comes back from the proxy to the LTM - will the LTM do another SNAT when it forwards to the DMZ?



    From what i can see, no. Since our DMZ firewall only permits traffic from the proxy IP address. However when i do TCP dumps on the internal proxy i see return traffic going through the internal LTM.
  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    On a given connection... Think of the LTM as just another proxy. So the connection from client to LTM is always a pair of IP addresses. The connection to LTM to 'proxy' is a second connection.



    Conceptually there's a single connection with an LTM in the middle doing some stuff (e.g. SNAT). But in reality the LTM is a proxy and SNAT simply means don't do anything special to 'pretend' to be the client IP when opening the second server side connection.