Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Davethoonsen's avatar
Davethoonsen
Icon for Altocumulus rankAltocumulus
Sep 30, 2019

Design question incorporating a firewall

Hi,   I'm stuck with some questions about a design that includes a firewall. I have the following two possible setups, where situation 1 seems more lenient and situation 2 would always require ch...
application delivery
LTM
James_Thomson's avatar
James_Thomson
Icon for Employee rankEmployee
Oct 02, 2019

Questions regarding situation 1:

  • What would my default route be for nodes in the 192.168.1.x network?
    • Yes
  • My guess is 192.168.1.1 as they would use that for their default route and since SNAT auto-map on the F5 would set up a direct (stateful) connection, it would use the floating self IP on the egress VLAN;
    • Correct
  • The F5 is a virtual appliance that has it's external VLAN untagged to interface 1.2 and external IP 40.50.60.3/29. How would I go about using 40.50.60.4 on the F5 to be used as a virtual server?; You should see the external connection as a layer 2 VLAN that is maintained by us.
    • As long as the BIG-IP has a self-IP on the same subnet,then it exists on the network and you just add a virtual server with that address and it will just work.
  • Would the default route for my F5 be 40.50.60.1? (if even required?)
    • Yes

Questions regarding situation 2:

  • What would my default route be for nodes in the 192.168.1.x network? My guess is the floating self IP, 192.168.1.246.
    • Yes

 

Overall questions:

  • Looking at the topologies; am I missing some design matters or other ideas?
  • Which setup would you recommend?