Forum Discussion
JohnCzerwinski_
Nimbostratus
NimbostratusHosted environment - Multiple VLANs outbound routing
Having an issue where we cannot make outbound connections from the servers behind an F5 BIG-IP LTM. The setup is as follows:
|
| VLAN: 224 (10.22.4.5 / 10.22.4.4
| External Port: 1.1
|
|
| Internal POrt: 1.3
| VLAN: 222 (10.22.2.5 / 10.22.2.4
|
| Web server 1 = 10.22.2.11
|
(1). I've created an inbound Virtual Server to load balance HTTP, HTTPS
(2). I've created an inbound Virtual Server to access the individual servers on TCP:3899 (RDP) this works
(3). I've created an outbound Wildcard Virtual Server, enabled on VLAN 222 and forward to last hop VLAN 224 to the firewall.
(4). I've Allowed All on the self ips
I cannot connect to the Internet outbound (for the purpose of downloading patches). Once I've added a route, I do see outbound traffic to the internet from 10.22.2.11 but cannot return.
What do I have set wrong? Also, I expect that the web server should "nat" to a 10.22.4.xx address outbound, as the firewall is configured to allow outbound traffic from this space.
Thanks for your help in advance!
- JRahm
Admin
do you have snat automap or a snatpool assigned to your wildcard virtual server? If not, your firewall is probably dropping the traffic as the source of the traffic will be the web server 10.22.2.* address. 
JohnCzerwinski_I don't either one defined for the VS. I'm basing my solution off the "LTM: Per-VLAN Default Gateway". Would I need to do the following:
SNAT Pool 10.22.4.11 (outside) / 10.22.2.11 (inside) for the specific server?- JRahmYou could create a 1:1 relationship for your servers, or you could define a snatpool that would map each server vlan to an address. Since you have indicated hosting more than one set of servers in potentially many vlan's, I'd take the snatpool approach as you might run out of addresses in the 10.22.4/ network. Your specific example should work fine.
- JohnCzerwinski_I've got it to work now, but it caused another issue. I have a Virtual Server 10.21.4.11 (external) pointing directly to a server on the internal network (10.21.2.11). I set this up to access it directly with RDP. The connection works initially, but when it times out I cannot re-establish a RDP session. I've done a tcpdump and watch the session come in from the client but the F5 Virtual server will not respond...until I reset the virtual server configuration...(i.e. force a "enabled on" vlan change). This seems to re-set some and it comes up again for a while.
Any clue? - JohnCzerwinski_Here's a sample of the tcpdump
17:44:21.940965 10.0.0.4.1493 > 10.21.4.11.3389: S 3555809265:3555809265(0) win 65535 (DF)
17:44:24.734009 10.0.0.4.1493 > 10.21.4.11.3389: S 3555809265:3555809265(0) win 65535 (DF)
17:44:30.848677 10.0.0.4.1493 > 10.21.4.11.3389: S 3555809265:3555809265(0) win 65535 (DF)
17:44:41.577974 10.0.0.4.1489 > 10.21.4.11.3389: FP 1:29(28) ack 1 win 65535 (DF) - JRahmSo it works...kinda? That's bizarre. Is the BIG-IP sending a syn packet to your server?
- JohnCzerwinski_Upgrading to 10.0.1, wiping out the configuration, and reconfiguring the LTM seemed to have cleared up the RDP connection issue, but I'm still trying to resolve a "NAT" challenge with this setup.
I want any connection from 10.22.2.11 to NAT to 10.22.4.11 so that the receiving Data Base server (not in-line with the F5) will receive the connection. I've set up a SNAT pool. I already have a Virtual Server to pick-up inbound connections (mainly for RDP), but I want to be able outbound from 10.22.2.11 to grab the 10.22.4.11 address on the way out of the LTM.
