For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LarsKristensson's avatar
LarsKristensson
Icon for Altocumulus rankAltocumulus
Sep 17, 2025
Solved

How to nexthop all requests from VPN clients?

I have VPN access configured under APM, and a Virtual Server acting the access point. The VPN is working well.

I now need to route all traffic (all requests) coming from VPN clients to another router. I don't want the BIG-IP unit to make the routing decisions and distribute the traffic, but want to next-hop all VPN traffic to a central router and have it routed from that one. (Leaving all other traffic that is not from VPN clients unaffected and still routed normally by the BIG-IP.)

I can't use a static route for it, since those are destination based and what I need is effectively source based.

I've tried to add an iRule to the Virtual Server:

when HTTP_REQUEST {
    nexthop [VLAN] [Router IP]
}

I've also tried a few other events, such as CLIENT_ACCEPTED and HTTP_REQUEST_SEND, but I can't get it to work.

Any advices on how I can next-hop all requests from VPN clients to another router?

routing
security
vpn
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Sep 17, 2025

    Hello,

     

    You have to create a new Performance L4 Virtual server with destinatin IP 0.0.0.0/0, port * and protocol ANY

    Set as default pool a pool which will have as pool member the router you want to use

    Enable Virtual server only on specific vlan and select the vpn tunnel you are using

    Deselect Destination address translation 

     

    With the above all traffic from vpn will be catched by the new VS and forwarded to the router you want.

7 Replies

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Sep 17, 2025

    Hello,

     

    You have to create a new Performance L4 Virtual server with destinatin IP 0.0.0.0/0, port * and protocol ANY

    Set as default pool a pool which will have as pool member the router you want to use

    Enable Virtual server only on specific vlan and select the vpn tunnel you are using

    Deselect Destination address translation 

     

    With the above all traffic from vpn will be catched by the new VS and forwarded to the router you want.

    • LarsKristensson's avatar
      LarsKristensson
      Icon for Altocumulus rankAltocumulus
      Sep 18, 2025

      That's an interesting solution. It does look spot on to what I'm trying to achieve.

      I've now got a few other things I need to complete first, but will report back when I've got a chance to test it.

      Thanks!

  • Juergen_Mang's avatar
    Juergen_Mang
    Icon for MVP rankMVP
    Sep 18, 2025

    I would create a new route domain with a default gateway to this router and route the VPN traffic into this route domain. There is a route domain assignment action in the VPE.

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Nacreous rankNacreous
      Sep 18, 2025

      Definitely gonna work too.

      Just a note that a new vlan is needed in this case, assigned to the new route domain. Vpn subnet needs to be routed back to the floating IP of the new vlan. Strict Isolation might also need to be disabled both in default and new route domain.

    • LarsKristensson's avatar
      LarsKristensson
      Icon for Altocumulus rankAltocumulus
      Sep 18, 2025

      There is currently no separate VLAN between the BIG-IP and the central router. While one could be created, I would prefer a solution that doesn't require it.

  • zamroni777's avatar
    zamroni777
    Icon for MVP rankMVP
    Sep 18, 2025

    http_request event is app layer while nexthop is L3 network layer.

    so, that nexthop command is too late because http req happens after many ip traffics happen (tcp session setup, ssl/tls session setup, etc.)