Forum Discussion
Chura_16140
Nimbostratus
NimbostratusDNS Query - reply from unexpected source
Hi Guys,
I'm new to F5, and something annoy me i can't find why it happen.
My topology:
Network (Public IP - Pretend its 100.100.100.0/24) --> Switch Stack --> LAG --> Viprion LTM --> Cisco CRS --> WWW
I have Viprion 4800 and for now i just wanna allow traffic to go outside, here are my questions :
1. I've added virtual-server with 0.0.0.0/0.0.0.0 as Forwarding (IP) to allow the LAN to have connectivity.
but unless i open virtual server back inside (100.100.100.0/255.255.255.0) i have no connectivity. Isn't it statefull ?
2. After i open the rule I talked about in (1). i have this message when i try simple resolving from server behind the F5.
[ip@qa-env ~]$ host google.com 8.8.4.4
;; reply from unexpected source: 8.8.4.425965, expected 8.8.4.453
tcpdump show this
22:45:39.033309 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)
22:45:39.033315 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)
22:45:39.123868 IP 8.8.4.4.53 > 100.100.100.40.39945: 8917 1/0/0 A 173.194.41.69 (43)
22:45:39.123884 IP 8.8.4.4.25965 > 100.100.100.40.39945: UDP, length 43
So the packets goes all good until the return packet back to the F5 and then he alter the port!
What am i missing ?
*remember, i have public ip on the server. i just changed it to 100.100.100.40 for the example.
my Virtuals
ltm virtual MNG_ALLOW_ALL_OUT {
description "Management Rule - Allow All Traffic Outside"
destination 0.0.0.0:any
ip-forward
mask any
profiles {
fastL4 { }
}
translate-address disabled
translate-port disabled
vlans {
DNS_LAN
LDAP_LAN
RADIUS_LAN
}
vlans-enabled
}
ltm virtual MNG_QA_ENV_IN {
description "Management Rule - Allow Radius traffic in"
destination 100.100.100.0:any
ip-forward
mask 255.255.255.0
profiles {
fastL4 { }
}
translate-address disabled
translate-port disabled
vlans {
CRS1.WAN
CRS2.WAN
}
vlans-enabled
}
What_Lies_Bene1Cirrostratus
OK, I think you should enable the external VLANs on the first Virtual Server and apply a packet filter or iRule to restrict inbound traffic to the 100.x addresses, and the necessary source ports, remove the 100.x Virtual Server. If you don't like the sound of that I'd suggest you create a Virtual Server for each outbound service instead and again, enable on the external VLANs. Make sure in the FastL4 profile you use that Loose Initiation and Loose Close are disabled.
Currently, the second more specific VS is handling the return traffic rather than the first VS the outbound connections pass through and this is the cause of your issue.
Chura_16140Thanks for the answer, gonna give it a try.
To be honest i'm very unsetisfied with the F5 Firewall handling. since it a "MUST" i guess F5 could have implemented this way better.
Where can i find best cases how to handle un-LB traffic. should i open 0.0.0.0/0 and use traffic filter ?
any good article about this ?
Thanks again.- What_Lies_Bene1F5's firewall approach is a bit different as it's based on LTM, it's also pushed as an enterprise (read: internal) firewall rather than an Internet facing one. The latest guide I know of is here: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-datacenter-firewall-config-11-1-0/7.html.
The general approach is to configure specific Virtual Servers for each service you wish to allow and if you take that approach and keep it in mind, you'll be just fine. - Chura_16140Agreed. My issue is with management to the REAL's behind the VIP.
Also, for services behind the F5 that wont LB. - Chura_16140Hi,
I tried allowing this virtual on the WAN too. no help, still same. (no traffic filtering applied).
Also, the fastL4 looks as you asked for.
Any other idea ?
ltm virtual MNG_ALLOW_ALL_OUT {
destination 0.0.0.0:any
ip-forward
mask any
profiles {
fastL4-Clear { }
}
translate-address disabled
translate-port disabled
vlans-disabled
ltm profile fastl4 fastL4-Clear {
app-service none
defaults-from fastL4
idle-timeout 300
ip-tos-to-client pass-through
ip-tos-to-server pass-through
keep-alive-interval disabled
link-qos-to-client pass-through
link-qos-to-server pass-through
loose-close disabled
loose-initialization disabled
mss-override 0
pva-acceleration partial
pva-offload-state syn
reassemble-fragments disabled
reset-on-timeout disabled
rtt-from-client disabled
rtt-from-server disabled
software-syn-cookie disabled
tcp-close-timeout 5
tcp-generate-isn disabled
tcp-handshake-timeout 5
tcp-strip-sack disabled
tcp-timestamp-mode preserve
tcp-wscale-mode preserve
$ host google.com 8.8.4.4
;; reply from unexpected source: 8.8.4.464949, expected 8.8.4.453
;; reply from unexpected source: 8.8.4.464949, expected 8.8.4.453 - What_Lies_Bene1Hmmm. What VLAN are you using to take the tcpdump? If not the external one, can you restrict it to the external VLAN and see if it comes in as 53 and then gets changed by the F5?
Also, perhaps change the Virtual Server Source Port setting to Preserve Strict, just in case. - Chura_16140TCPdump show same as before.
the port preserved for 3 packet, then the F5 return is to the server changed.
I've tried the Preserve Strics already.
Any other suggestion ? - What_Lies_Bene1OK, it the packet is arriving on the external interface with a different source port, it's not the F5 changing it. If it was, it would be 53 on the external and then something else on the internal. If that's not the case, I'd be looking for a cause 'North' of the F5.
- Chura_16140
I'm not sure why you think that.
22:45:39.033309 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)
22:45:39.033315 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)
22:45:39.123868 IP 8.8.4.4.53 > 100.100.100.40.39945: 8917 1/0/0 A 173.194.41.69 (43)
22:45:39.123884 IP 8.8.4.4.25965 > 100.100.100.40.39945: UDP, length 43
1. (V) Packet exit server source port 39945 and dst 53
2. (V) Packet exit F5 with same attribute
3. (V) Packet return to F5 with source port 53 and dst port 39945
4. (X) Packet return to server with source port 25965 and dst port 39945
I'm trying to run TCPDUMP again but now i see only the exit (while still same error on the server)
$ host -t A godaddy.com 8.8.8.8
;; reply from unexpected source: 8.8.8.830517, expected 8.8.8.853
15:09:18.865110 IP 100.100.100.40.41093 > 8.8.8.8.53: 12464+ A? godaddy.com. (29)
15:09:18.865128 IP 100.100.100.40.41093 > 8.8.8.8.53: 12464+ A? godaddy.com. (29)
btw, I really appreciate your help here.
I got this device for testing LB/DNS Cache/DNS Express and i'm way far from it, still stuck on basics. :) - What_Lies_Bene1If you are doing the tcpdump on the F5 and specify the external VLAN with the -i option, you should only see the outbound packet (once) and the inbound packet (once).
BTW, you may want to edit your post and remove the 'real' IPs.