Forum Discussion

logan92's avatar
logan92
Icon for Altocumulus rankAltocumulus
Jul 13, 2024

How to redirect outbound traffic to 2 ISP links

Hi,
We have (LTM,GTM) , Can we implement LTM & GTM behind the firewall? and if yes ,how the LTM can monitor the 2 ISP links on the firewall? is it by using transparent monitoring?

  • If the firewall is the edge and has 2 ISP connections but only a single inside connection I'm not entirely sure if it would be possible to balance the two ISP connections since the F5s next hop is the firewall. If you could provide your topology it might help come up with a solution.

  • This may work:

    # Create transparent gateway ICMP health check monitor to monitor external IP (in this case Google DNS server) 
    create ltm monitor gateway-icmp MON-GATEWAY-ICMP-ISP destination 8.8.8.8:0 transparent enabled
    
    # Create pool containing both ISP router IPs
    create ltm pool POOL-OUTBOUND load-balancing-mode round-robin members add { <ISP1 ROUTER IP>:0 <ISP2 ROUTER IP>:0 } monitor MON-GATEWAY-ICMP-ISP
    
    # Create FastL4 virtual server
    create ltm virtual VS-OUTBOUND destination 0.0.0.0:0 mask 0.0.0.0 pool POOL-OUTBOUND profiles add { fastL4 } source-address-translation { type automap } translate-address disabled translate-port disabled




    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      This does seem like it should function the way you would like with the exception of the health monitor. Keep in mind that with that monitor you're only monitoring the interface on the firewall rather than the connection from the firewall to the ISP so if routing is not functioning between the firewall and the ISP or the ISP has any routing issues that will not be detected.

      • Since it's a transparent monitor, wouldn't the health monitor be checking the reachability from the F5's self IP via each ISP router to Google's public DNS server (8.8.8.8) and hence, this would verify that traffic using each ISP was working?

  • instead of transparent monitor, you can simply create ping icmp monitor with isp router's IP specified in it.
    create that icmp monitor for each isp router that you want to monitor then bind that monitors to any relevant pools.
    ensure that your fwrouter properly routes above ping traffic.

    most ltm and gtm implementations are indeed behind NAT gw, i.e. f5 device doesnt hold the public ip address.