Forum Discussion

レザ's avatar
レザ
Icon for Cirrus rankCirrus
Jun 07, 2023
Solved

Disable Inter-VLAN Routing?

Hello
I was searching for my problem when I came across this topic, but unfortunately, there was no complete answer to this question.
Therefore, I wanted to know how to prevent bigip from bypassing the firewall?
My servers are separated by vlan and inside bigip I have a vlan & self ip for each group of servers, but I don't want routing between these vlans under any circumstances.

What is the solution to this problem?

Thanks

  • レザ As long as the servers sit in a different VLAN it would be up to your routing to not allow them to reach each other. Example, if you have VLANs 1-5 and the F5 and the firewall sit in each VLAN with the F5 being in 1 arm mode then each server should have the firewall as their gateway. As long as the switch seperating each VLAN doesn't performing any routing then those servers should not be able to reach each other without going through the firewall. They could technically reference the F5 as their gateway but if the F5 doesn't not have a forwarding virtual server configured with SNAT enabled on that virtual server they will not be able to communicate with each other without using the firewall.

  • Hi レザ , 

    What do you mean by routing between Vlans on Bigip ? 
    Also clarify your words regards bigip bypass Firewall ? 

    Do you mean servers' vlans separated but can reach other through Bigip ? 

    • レザ's avatar
      レザ
      Icon for Cirrus rankCirrus

      Hi Mohamed_Ahmed_Kansoh 

       


      What do you mean by routing between Vlans on Bigip ?

      Also clarify your words regards bigip bypass Firewall ?

      Each of my servers are inside their own vlan and the gateway of all these servers is the firewall, and any communication between these servers should only be through this firewall. since the load balancer has one arm inside each vlan, is it possible that the servers of different vlan communicate with each other without passing through the firewall?

       

      Do you mean servers' vlans separated but can reach other through Bigip ?

      YESSSSSSSSSSSSSSSS 🙂

      Thanks

      • Hi レザ , 
        Let we assume : 
        Servers A in Vlan 5 
        Servers B in Vlan 10 

        you ask , Servers A will communicate / reach Servers B through Bigip ( Loadbalancer ) 
        The answer no , Even if you you deploy One ARM with different and separate Vlans.

        The only way to make Servers A communicate with Servers B is to create a listner ( for ex Virtual server ) to listen ServerA connections and forward traffic to Servers B. 

        So without this Listner Traffic will be dropped if it initiated from Servers A to Servers B and Vica-versa. 

        You as a Client send request to bigip >> Virtual server recieve your connection >> forward to pool of servers. 
        I want to say you as a Client in a different Vlan , and If you remover the virtual server that serves your traffic , you couldn't reach your pool of servers. 

        Did you get this point ? 

  • Issue is that F5 also acts as a switch, and of course all of the ARPs are on the same switch. Further, those self IPs on the connected VLANs auto make the F5 recognize the nets as directly connected.

    I wonder if you could use packet filters for securing subnet to subnet network connectivity behind the F5. Check out Network -> Packet Filters.

     

  • Hi レザ,

    even though this is marked as solved, I want to weigh in on this one.

    My example: You have VS_A in VLAN_A and VS_B in VLAN_B. You want to make sure that IPs residing in VLAN_B cannot connect to VS_A, correct?
    My question: What is your configuration setting for VLAN and Tunnel Traffic for VS_A?

    Is it "All VLANs and Tunnels" or "Enabled on: VLAN_A"?

    Please see: K44201777: Using tmsh utility to enable an existing virtual server on all VLANs and tunnels on the system 
    "When you create a virtual server, the default setting for VLAN and Tunnel Traffic is All VLANs and Tunnels which specifies that the virtual server is enabled on all VLANs and tunnels configured on the system."

    Enabled on all VLANs means: if Traffic from VLAN_B hits the F5 and the destination is VS_A, the F5 will answer. This would explain your observerd behaviour.

    KR
    Daniel