F5 communication with pool members

Question

Hello community,Is it possible for an F5 to load balance traffic to pool members in a network segment if it doesn't have a self-IP in that network segment?**Please refer to the diagram attached***To give you more context, I have a virtual server configured with a DMZ IP(172.16.1.10) and I want it to load balance across servers in my inside/trusted network (10.0.0.22 &amp; 10.0.0.23). If the F5 doesn't have a self-IP in the 10.0.0.0 network, is it able to load balance across the pool members?If I have a self-IP in a different network, say 10.0.1.1 network and I create a rule in the firewall to allow traffic from that IP to the pool members, is that sufficient?&nbsp;Thanks.CC&nbsp;JRahm&nbsp;

david_larsen · Answer

Yes you can.&nbsp; The trick is the BIG-IP instance needs to have network routes to tell it how to get to those servers that are not in one of its networks.&nbsp; So you could have a network route that says 10.0.0.1/24 goes via 10.0.1.1 network.
&nbsp;
David Larsen

mike757 · Answer

I would also point that in your design you'll very likely need to use Source NAT in the Virtual Server.That may introduce some issues regarding original client IP information loss (it would disappear from L3 headers). In HTTP traffic this is usually circumvented using the X-Forwarded-For header, but if you can use any similar technique really depends on the protocol in question.The preferred design is getting your F5 box between the router and the servers, and making F5 the default gateway of said servers. This would ensure that return traffic will always get through F5, and a clean routing design doesn't need "tricks" like Source NAT or PBR./Mike/

jrahm · Answer

Just a little gentle pushback...the preferred design should always comes down to each company's business, security, and operational requirements. What works for you or for me isn't the best path for others. The great thing is all of the choices here work, work well, and are supported configurations, with obvious tradeoffs that need to be considered.

mike757 · Answer

Indeed.&nbsp;😊 If it works, it works.If given the chance I'll always go for routed design over one-arm. But besides being a "personal" preference, I mentioned the routed design because it is a way to avoid source NAT. Knowing the full details about the application you want to serve is the key./Mike/

jrahm · Answer

Yep that'll work just fine. You can load balance to anything reachable from BIG-IP, and if wanting symmetric traffic delivery for ingress and egress, that the servers have routes back to BIG-IP. Just be aware that edge FW is going to be doing a lot of transit work.

Forum Discussion

F5 communication with pool members

Recent Discussions

APM webtop customization header message

Installing a PKCS 12 File onto an F5 Device

Irule to allow specific IPs

Uploading SKCS 12 File to F5 Device

F5 not Identifying Parameter in Text/Plain Upload

Related Content

DevCentral Community Guidelines

Installing BIG-IP Next on Nutanix Community Edition

DevCentral Community Ranking Explained

Community Highlights, Week 15 '23

Community Learning Path: Multi-Cloud Networking