inline configuration

Please paste full configuration of your 0.0.0.0/0 VS. There are many ways the routing can be done.

Please paste full configuration of your 0.0.0.0/0 VS. There are many ways the routing can be done.

Sorry, but I'll try to answer only your first question right now. We'll come back to others once we have time, or maybe others can help.

"Questions: 1. Client from net goes to VS1 (SNAT off) is redirected to SRV (source address is seen, destination nat is in place to pass traffic to SRV). I assume that return traffic from SRV is hitting VS 0/0 (am I right?) VS 0/0 have snat off. And I also assume that source address of SRV is changed to VS1 IP (am I also right?). If not, should I do some SNAT on VS 0/0?"

• If VS1 is from where client comes in (another VS with a pool attached), then the return traffic won't go past the VS 0/0, but it will be routed back from the same VS1. Client will see the source IP address of return packets, the same as VS1 external listener IP. Traffic will go through the VS0/0, only if the session was initiated by SRV. (E.g SRV making a DNS request to 8.8.8.8 will be routed via VS0/0, and no NAT will be applied in F5).

Sorry, but I'll try to answer only your first question right now. We'll come back to others once we have time, or maybe others can help.

"Questions: 1. Client from net goes to VS1 (SNAT off) is redirected to SRV (source address is seen, destination nat is in place to pass traffic to SRV). I assume that return traffic from SRV is hitting VS 0/0 (am I right?) VS 0/0 have snat off. And I also assume that source address of SRV is changed to VS1 IP (am I also right?). If not, should I do some SNAT on VS 0/0?"

• If VS1 is from where client comes in (another VS with a pool attached), then the return traffic won't go past the VS 0/0, but it will be routed back from the same VS1. Client will see the source IP address of return packets, the same as VS1 external listener IP. Traffic will go through the VS0/0, only if the session was initiated by SRV. (E.g SRV making a DNS request to 8.8.8.8 will be routed via VS0/0, and no NAT will be applied in F5).

"... Response packet from F5 to Client => SIP: ??? DIP:1.1.1.1 Instead of "???" which SIP is correct? 192.168.1.1 or 192.168.2.1? I assume and as you said previously (and I want to be) it is 192.168.1.1"

• SIP is 192.168.1.1

"(https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html) 1.1.1.1 is not configured on F5 and maybe VS 0/0 will be chosen. In other hand, this quotation does not say if it applies to first/incoming traffic or return traffic."

• Response packets are already routed back as per connections table records, not as per virtual server configurations. You certainly don't have to configure 1.1.1.1 VS to ensure response packets are routed back.

"... Response packet from F5 to Client => SIP: ??? DIP:1.1.1.1 Instead of "???" which SIP is correct? 192.168.1.1 or 192.168.2.1? I assume and as you said previously (and I want to be) it is 192.168.1.1"

• SIP is 192.168.1.1

"(https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html) 1.1.1.1 is not configured on F5 and maybe VS 0/0 will be chosen. In other hand, this quotation does not say if it applies to first/incoming traffic or return traffic."

• Response packets are already routed back as per connections table records, not as per virtual server configurations. You certainly don't have to configure 1.1.1.1 VS to ensure response packets are routed back.

"... Response packet from F5 to Client => SIP: ??? DIP:1.1.1.1 Instead of "???" which SIP is correct? 192.168.1.1 or 192.168.2.1? I assume and as you said previously (and I want to be) it is 192.168.1.1"

• SIP is 192.168.1.1

"(https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html) 1.1.1.1 is not configured on F5 and maybe VS 0/0 will be chosen. In other hand, this quotation does not say if it applies to first/incoming traffic or return traffic."

• Response packets are already routed back as per connections table records, not as per virtual server configurations. You certainly don't have to configure 1.1.1.1 VS to ensure response packets are routed back.

Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5.

yes unless you also have snat list configuration.

It is enabled only on server-vlan. If I understand correctly when the server itself is originating connection outside it will hit VS 0/0. How does this configuration applies when connection is originating from another subnet (for example behind FW) to server IP address (not VS1). Connection will be dropped/rejected? Should VS 0/0 listen on all vlans to allow such connections?

yes connection will be rejected. bigip is default deny device. to allow traffic, object listener (i.e. virtual server, snat, nat) is required.

sol9038: The order of precedence for local traffic object listeners

Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5.

yes unless you also have snat list configuration.

It is enabled only on server-vlan. If I understand correctly when the server itself is originating connection outside it will hit VS 0/0. How does this configuration applies when connection is originating from another subnet (for example behind FW) to server IP address (not VS1). Connection will be dropped/rejected? Should VS 0/0 listen on all vlans to allow such connections?

yes connection will be rejected. bigip is default deny device. to allow traffic, object listener (i.e. virtual server, snat, nat) is required.

sol9038: The order of precedence for local traffic object listeners