Forum Discussion
Lapsio
Altostratus
AltostratusHow to configure source NAT for health monitors?
I have following deployment scenario:
dmz firewall --- F5-BIGIP --- internal firewall/router --- servers
F5 acts as gateway and uses 192.168.0.0/24 subnet on VLAN facing internal firewall. Virtual servers don't use source NAT. Internal firewall filters out all packets with private source IP incoming to gateway interface so all health monitors requests are rejected by internal firewall (as they originate from 192.168.0.0/24).
Is there any way to perform SNAT on health monitors to make them originate from our WAN IP?
I wanted to use iptables prerouting srcnat but it doesn't seem to be available on F5. There doesn't seem to be arbitrary SNAT functionality either. Would AFM allow to achieve such behavior?
DaveSNimbostratus
The source address is the self address based on the routing to the back end servers. Something similar has been asked before and the solution suggested was to use an external monitor running a script or command that allows a custom source address. The latest I found was here:
External Monitor- DevCentral Wiki
Alternately, you could use inband passive monitoring which looks at the client connections but would depend on what exactly you need to monitor.
DaveS_377638Cirrus
The source address is the self address based on the routing to the back end servers. Something similar has been asked before and the solution suggested was to use an external monitor running a script or command that allows a custom source address. The latest I found was here:
External Monitor- DevCentral Wiki
Alternately, you could use inband passive monitoring which looks at the client connections but would depend on what exactly you need to monitor.
HamishCirrocumulus
IIRC, I have in the past configured iptables to SNAT monitors... It was a while ago due to a bug where the monitors would sometimes get sent using the floating self-ip when the big was standby.. So you could possibly give that a go...