Dear All, I am trying to access Internet from internal server whose gateway is f5's internal IP. From f5, I am able to reach gateway and inturn Internet IPs. However, I am unable to reach either gateway of f5 or any internet IP from the server though I have created forwarding VS, which as follows: ltm virtual VS_forward { destination 0.0.0.0:any ip-forward ip-protocol tcp mask any profiles { fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans-disabled } It's very simple network, which has ext int with gateway and inter interfaces. But, not sure why it's not working. Am I missing any config. Can someone please advise me ? Regards, Rajesh

What you'll need to do in your case is change the 0.0.0.0/0 VS from forwarding-type to fastL4 type, and attach a default pool, in which you specify the gateway of F5 (directly connected destination, via external selfIP interface). Make sure that 0.0.0.0/0 VS is listening on the Internal VLAN from which the hosts want to access the Internet.I also recommend a custom stateless fastL4 profile, instead of the default fastL4 profile for this kind of 0.0.0.0/0 VS. Have a look here for reference: https://devcentral.f5.com/questions/f5-big-ip-memory-issues

Thank you Hannes for your help. I tried following config, even then, there was no luck. ltm profile fastl4 my_route_friendly_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-close enabled loose-initialization enabled reset-on-timeout disabled } ltm virtual VS_forward { destination 0.0.0.0:any ip-protocol tcp mask any pool Gateway_pool profiles { my_route_friendly_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { Internal } Kindly assist and thank you in advance. Regards, Rajesh

ltm profile fastl4 my_route_friendly_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-close enabled loose-initialization enabled reset-on-timeout disabled } ltm virtual VS_forward { destination 0.0.0.0:any ip-protocol tcp mask any pool Gateway_pool profiles { my_route_friendly_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { Internal } vlans-enabled }

Forwarding Virtual Server

Hannes_Rapp_162
Nacreous
Apr 30, 2016
What you'll need to do in your case is change the 0.0.0.0/0 VS from forwarding-type to fastL4 type, and attach a default pool, in which you specify the gateway of F5 (directly connected destination, via external selfIP interface).

Make sure that 0.0.0.0/0 VS is listening on the Internal VLAN from which the hosts want to access the Internet.
I also recommend a custom stateless fastL4 profile, instead of the default fastL4 profile for this kind of 0.0.0.0/0 VS. Have a look here for reference: https://devcentral.f5.com/questions/f5-big-ip-memory-issues
- Rajesh_07_16489
  Nimbostratus
  Apr 30, 2016
  Thank you Hannes for your help. I tried following config, even then, there was no luck. ltm profile fastl4 my_route_friendly_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-close enabled loose-initialization enabled reset-on-timeout disabled } ltm virtual VS_forward { destination 0.0.0.0:any ip-protocol tcp mask any pool Gateway_pool profiles { my_route_friendly_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { Internal } Kindly assist and thank you in advance. Regards, Rajesh
- Rajesh_07_16489
  Nimbostratus
  Apr 30, 2016
  ltm profile fastl4 my_route_friendly_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-close enabled loose-initialization enabled reset-on-timeout disabled } ltm virtual VS_forward { destination 0.0.0.0:any ip-protocol tcp mask any pool Gateway_pool profiles { my_route_friendly_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { Internal } vlans-enabled }
- Hannes_Rapp_162
  Nacreous
  Apr 30, 2016
  It's quite likely your packets are now able to reach the destination, but the response packets do not come back (you can check with tcpdump to investigate further). Assuming that's the case, my next question is if you have a forwading-type VS for the Internal network segment? If your nodes are in 192.168.255.0/24, you will need to create a forwarding-type VS for this subnet, and make it listen on the External VLAN. Additionally, the device which acts as a gateway for F5 on the External VLAN must have a destination route 192.168.255.0/24 which points to the floating external IP. Hope this will help you out.
Hannes_Rapp
Nimbostratus
Apr 30, 2016
What you'll need to do in your case is change the 0.0.0.0/0 VS from forwarding-type to fastL4 type, and attach a default pool, in which you specify the gateway of F5 (directly connected destination, via external selfIP interface).

Make sure that 0.0.0.0/0 VS is listening on the Internal VLAN from which the hosts want to access the Internet.
I also recommend a custom stateless fastL4 profile, instead of the default fastL4 profile for this kind of 0.0.0.0/0 VS. Have a look here for reference: https://devcentral.f5.com/questions/f5-big-ip-memory-issues
- Rajesh_07_16489
  Nimbostratus
  Apr 30, 2016
  Thank you Hannes for your help. I tried following config, even then, there was no luck. ltm profile fastl4 my_route_friendly_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-close enabled loose-initialization enabled reset-on-timeout disabled } ltm virtual VS_forward { destination 0.0.0.0:any ip-protocol tcp mask any pool Gateway_pool profiles { my_route_friendly_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { Internal } Kindly assist and thank you in advance. Regards, Rajesh
- Rajesh_07_16489
  Nimbostratus
  Apr 30, 2016
  ltm profile fastl4 my_route_friendly_fastl4 { app-service none defaults-from fastL4 idle-timeout 300 loose-close enabled loose-initialization enabled reset-on-timeout disabled } ltm virtual VS_forward { destination 0.0.0.0:any ip-protocol tcp mask any pool Gateway_pool profiles { my_route_friendly_fastl4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { Internal } vlans-enabled }
- Hannes_Rapp
  Nimbostratus
  Apr 30, 2016
  It's quite likely your packets are now able to reach the destination, but the response packets do not come back (you can check with tcpdump to investigate further). Assuming that's the case, my next question is if you have a forwading-type VS for the Internal network segment? If your nodes are in 192.168.255.0/24, you will need to create a forwarding-type VS for this subnet, and make it listen on the External VLAN. Additionally, the device which acts as a gateway for F5 on the External VLAN must have a destination route 192.168.255.0/24 which points to the floating external IP. Hope this will help you out.
Joel_9874
Nimbostratus
Apr 30, 2016
Hello, just an additional question a bit related to the 1st request :

are you able to ping from internal LAN towards Internet thru this VS ?

I am currently trying to do so with a Link controller which load-balances outgoing requests via 2 Internet links;

so, I created a kind of VS like yours, but with SNAT and with a pool representing the 2 ISP routers next to the Link Controller;

everything is OK for any kind of traffic, except for Ping from internal LANs :

they reach the F5 but never go out towards any of the 2 ISP links : I checked it via TCPDUMP;

I have followed the recommendations listed here : https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7366.html nothing changed (I use BigIP V12 HF2)

any idea ?

thanks in advance
- Hannes_Rapp
  Nimbostratus
  May 01, 2016
  Works well for ICMP, and anything else IP-related. Are you sure you have selected 'Protocol * (All Protocols)' in 0.0.0.0/0 VS configuration? If it's just TCP (default choice as Rajesh 07 has configured), then ping won't work. Apart from that, I cannot think of any other obvious problems here
Joel_9874
Nimbostratus
May 01, 2016
Great ! it works

actually, I though my VS was OK because I had coded the VS Service Port option to 0 (meaning All ports), but I had forgotten to set the Protocol option to All Protocols too ! it was set to TCP

thanks a lot for your suggestion
Joel_9874
Nimbostratus
May 01, 2016
Great ! it works

actually, I though my VS was OK because I had coded the VS Service Port option to 0 (meaning All ports), but I had forgotten to set the Protocol option to All Protocols too ! it was set to TCP

thanks a lot for your suggestion
Joel_9874
Nimbostratus
May 01, 2016
Great ! it works

actually, I though my VS was OK because I had coded the VS Service Port option to 0 (meaning All ports), but I had forgotten to set the Protocol option to All Protocols too ! it was set to TCP

thanks a lot for your suggestion
- Joel_9874
  Nimbostratus
  May 01, 2016
  (hm, I see my previous update was recorded 3 times ... no idea why) last point still retated to ICMP ; when I issue a Ping from Internet towards an internal machine (associated to 2 VS, 1 per ISP link on the LC), the pings works but it is answered by the F5, not by the internal machine (I checked via TCPDUMP) If I do an SSH from the same Internet PC to the same internal machine thru the same VS, it works properly; The different with the previous case (ping from internal LAN towards Internet) is that, in this case, there is not SNAT defined, since the NAT is initialled performed on the destination This "problem" is not very annoying but, well, I was wondering if this was not related to Link Controller which is a GTM/LTM hybrid box ; Is there any debug function that allows to analyze which VS, pool, node, are selected by the F5 box when receiving a new request ? thanks in advance
alexchan_256780
Nimbostratus
May 26, 2016
Thanks a lot Hannes, your advice is very effecitve! Thank you Rajesh! I had the same problem like Rajesh. Follow these comment, It worked !

internal : 10.2.0.0/24 bigip-self:10.2.0.1 bigip-floating:10.2.0.11 pc-test:10.2.0.3/24 gw:10.2.0.11 external: 10.3.0.0/24 bigip-self:10.3.0.1 bigip-floating:10.3.0.11 bigip-gw:10.3.0.254

ensure on the exiternal router(f5 gw) can reach internal

gw-router(10.3.0.254)(config)ip add 10.2.0.0 255.255.255.0 10.3.0.11 //add one route to bigip-internal subnet

2.ensure f5-bigip forwarding traffic to internal subnet

add the first forwarding type vs vs-forwarding-internal: type:forwarding(ip) , source: 0.0.0.0/0 , destination: network 10.2.0.0 mask:255.255.255.0 ,serviceport :all ports , protocal : all protocols , vlan: all , source address translation :auto map

3.ensure f5-bigip forwaring traffic from internal to external

add the second forwarding type vs

vs-forwarding-internal-to-outbond: type:forwarding(ip) , source: 10.2.0.0/24 , destination: network 0.0.0.0 mask:0.0.0.0 ,serviceport :all ports , protocal : all protocols , vlan: all , source address translation :auto map

Then, on the pc-test web browser enter www.f5.com ,it is done!!!

Regards, Alex

Forum Discussion

Forwarding Virtual Server

Recent Discussions

GTM pool is OFFLINE even if pool members are UNKNOWN

COMPRAR DINERO FALSO TELEGRAM @CANNAUNION35

ACQUISTA SOLDI CONTRAFFATTI TELEGRAM @CANNAUNION35

COMPRAR BILLETES FALSOS TELEGRAM @CANNAUNION35

201 Recommendations for Study

Related Content

Create a virtual server on internal vlan

GTM not discovering LTM Virtual Server

About Virtual Server's IP

Virtual server with port translation

Configure a backup for virtual server configration along with setup