Forum Discussion

zanoob1's avatar
zanoob1
Icon for Altostratus rankAltostratus
Jul 20, 2023

F5 virtual server not using static route when SNAT is set to none.

 Hi All, 

I dont know if you came across same issue or not. 

My goal is to use F5 as the VPN gateway with BIG IP(on client machine) VPN client to connect for the clients. However, the same F5 is used for LTM for public services (using public IP) and private services. 

I use self IPs for the LTM services that i have publhised , hence the servers behind F5 sends back traffic to F5 and hence full proxy is achived . This is all wokring. 

I created a virtaul server for client VPN connection and set the SNAT to none  on the virtaul server & also inside the APM connectivity network settings. Why beacuse for client VPN , i do not want F5 to be proxy (but a gatewaz) and use the routing table to route the traffic to my connected Firewall (since firewall has many rules in there for different users). 

Now my problme is SNAT on virtual server and on Access  ››  Connectivity / VPN : Network Access (VPN) : Network Access Lists  ››  client VPN proifle is set to NONE. 

Meaning the client VPN is not using SNAT , however it is also not picking the static route and forwarding the traffic. 

Is there anything specific that needs to be done when setting SNAT to none and to use static route? 

Like preference or priority on the virtual server, beacuse i want the other virtaul servers to use self IP. But not for the lcient VPN virtaul server . 

Regards, 

Zanoob

  • zanoob1's avatar
    zanoob1
    Jul 26, 2023

    Hi there, 

    Thank you so much for the reply. I am not leaking external srouce IPs into the network. Since it is a VPN connection, the users get a private IP in the tunnel . The Tunnel private IP is used to access the inside network. 

    I was able to complete it my design and requirment with the KB https://my.f5.com/manage/s/article/K18487629, this actually will use the pool address as default gateway to route traffic . Actually an excellent way to do it. 

    Regards,

     

  • If these connections are coming from the Internet, you need to use SNAT. Otherwise, you are leaking external source IPs into your network and the return traffic may go via default gateway once the client responds to intial connection. There is no guarantee this return traffic will go back via the same F5 on ingress and you will have async routing.

     

    • zanoob1's avatar
      zanoob1
      Icon for Altostratus rankAltostratus

      Hi there, 

      Thank you so much for the reply. I am not leaking external srouce IPs into the network. Since it is a VPN connection, the users get a private IP in the tunnel . The Tunnel private IP is used to access the inside network. 

      I was able to complete it my design and requirment with the KB https://my.f5.com/manage/s/article/K18487629, this actually will use the pool address as default gateway to route traffic . Actually an excellent way to do it. 

      Regards,