Forum Discussion
lubrano_frederi
Nimbostratus
NimbostratusIP forwarding does not work.
Hello
I created a vertual server type Forwarding (IP) to my servers that can be updated from internet.
The problem is that my servers ping the ip address of my computer and another
on the same network not my router.
My computeur : 10.254.255.187
router : 10.254.255.254
10.254.255.187 no problem :
[root@bigmama:Active] config tcpdump -i any -n net 10.254.255.187 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type EN10MB (Ethernet), capture size 108 bytes
17:42:15.125562 IP 192.168.37.1 > 10.254.255.187: ICMP echo request, id 43530, seq 1, length 64
17:42:15.125731 IP 10.254.255.200 > 10.254.255.187: ICMP echo request, id 43530, seq 1, length 64
17:42:15.127263 IP 10.254.255.187 > 10.254.255.200: ICMP echo reply, id 43530, seq 1, length 64
17:42:15.127269 IP 10.254.255.187 > 192.168.37.1: ICMP echo reply, id 43530, seq 1, length 64
17:42:16.129698 IP 192.168.37.1 > 10.254.255.187: ICMP echo request, id 43530, seq 2, length 64
17:42:16.129717 IP 10.254.255.200 > 10.254.255.187: ICMP echo request, id 43530, seq 2, length 64
17:42:16.129817 IP 10.254.255.187 > 10.254.255.200: ICMP echo reply, id 43530, seq 2, length 64
When I ping the routeur 10.254.255.254 "destination host unreachable" problem not output external interface
[root@bigmama:Active] config tcpdump -i any -n net 10.254.255.254 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type EN10MB (Ethernet), capture size 108 bytes
17:41:27.272021 IP 192.168.37.1 > 10.254.255.254: ICMP echo request, id 43018, seq 1, length 64
17:41:28.285159 IP 192.168.37.1 > 10.254.255.254: ICMP echo request, id 43018, seq 2, length 64
17:41:29.297876 IP 192.168.37.1 > 10.254.255.254: ICMP echo request, id 43018, seq 3, length 64
17:41:30.312609 IP 192.168.37.1 > 10.254.255.254: ICMP echo request, id 43018, seq 4, length 64
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@bigmama:Active] config tcpdump -i external -n net 10.254.255.254 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external, link-type EN10MB (Ethernet), capture size 108 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Thank you for your help
best regard
----
[root@bigmama:Active] config b route
ROUTE default inet
| GATEWAY 10.254.255.254 static
ROUTE 10.254.255.128/25
| VLAN external connected
ROUTE 127.1.1.0/24
| VLAN tmm0 connected
ROUTE 192.168.37.0/24
| VLAN internal connected
ROUTE fe80::/64
| VLAN tmm0 connected
ROUTE fe80::%vlan4093/64
| VLAN external connected
ROUTE fe80::%vlan4094/64
| VLAN internal connected
ROUTE ff02::/64
| VLAN tmm0 auto
ROUTE ff02::%vlan4093/64
| VLAN external auto
ROUTE ff02::%vlan4094/64
| VLAN internal auto
[root@bigmama:Active] config cat /config/bigip.conf
datastor {
low water mark 80
high water mark 92
}
deduplication {}
shell write partition Common
configsync {
password crypt "E(]H^}
route default inet {
gateway 10.254.255.254
}
monitor my_HTTP__monitor {
defaults from http
interval 30
timeout 91
}
profile fastL4 my_IP_Forwarding_DEB_fastL4 {
defaults from fastL4
reset on timeout disable
loose initiation enable
loose close enable
}
profile http my_HTTP__http_profile {
defaults from http-wan-optimized-compression
compress content type include {
"text/"
"application/(xml|x-javascript)"
"application/pdf"
}
}
profile persist my_HTTP__persist_profile {
defaults from cookie
mode cookie
}
profile tcp my_HTTP__lan-optimized_tcp_profile {
defaults from tcp-lan-optimized
}
profile tcp my_HTTP__wan-optimized_tcp_profile {
defaults from tcp-wan-optimized
}
node 192.168.37.1 {}
pool my_HTTP__pool {
lb method member least conn
monitor all my_HTTP__monitor
members 192.168.37.1:http {
priority 1
}
}
virtual address any {
mask 0.0.0.0
}
virtual my_HTTP__virtual_server {
snat automap
pool my_HTTP__pool
destination 10.254.255.201:http
ip protocol tcp
persist my_HTTP__persist_profile
profiles {
my_HTTP__http_profile {}
my_HTTP__lan-optimized_tcp_profile {
serverside
}
my_HTTP__wan-optimized_tcp_profile {
clientside
}
}
}
virtual my_IP_Forwarding_DEB_virtual_server {
ip forward
snat automap
destination any:any
mask 0.0.0.0
profiles my_IP_Forwarding_DEB_fastL4 {}
}
node * monitor icmp
--
[root@bigmama:Active] config cat /config/bigip_base.conf
mgmt 172.31.254.11 {
netmask 255.255.255.0
}
mgmt route default inet {
gateway 172.31.254.254
}
stp {
config name none
}
stp instance 0 {
interfaces {
1.1 {
external path cost 20000
internal path cost 20000
}
1.2 {
external path cost 20000
internal path cost 20000
}
}
vlans {
external
internal
}
}
self allow {
default {
tcp ssh
tcp domain
tcp snmp
tcp https
tcp f5-iquery
udp domain
udp snmp
udp efs
udp cap
udp f5-iquery
proto ospf
}
}
shell write partition Common
vlan external {
tag 4093
interfaces 1.1
}
vlan internal {
tag 4094
interfaces 1.2
}
self 10.254.255.200 {
netmask 255.255.255.128
vlan external
allow default
}
self 192.168.37.254 {
netmask 255.255.255.0
vlan internal
allow tcp https
}
system {
gui setup disable
hostname "bigmama.tok.local"
}
qe_102628I'm assuming that the node 192.168.37.1 has a default route of 192.168.37.254 (the BIG-IP)
If so, and you're using ICMP, it looks like SNAT hasn't been configured to allow ICMP (by default, SNAT only forwards UDP and TCP packets)
Try enabling SNAT Packet Forwarding for all packet types:
In the GUI, navigate to: System>>Configuration:Local Traffic:General
Change "SNAT Packet Forwarding" from "TCP and UDP Only" to "All Traffic"
Your ping to the router should now work (I'm presuming that the router doesn't have a route back to your BIG-IP for the subnet 192.168.37.0/24)
lubrano_frederiHello The "Packet Forwarding SNAT" is "All Traffic" from the beginning. The router knows return because it is on the same network as the external interface. Thank you best regard fred- qe_102628can you show us bigip_sys.conf as well?
- lubrano_frederiHello,
this is the file.Best regards----
[root@bigmama:Active] config cat /config/bigip_sys.conf
provision ltm {
level nominal
}
partition Common {
description "Repository for system objects and shared objects."
}
shell write partition Common
user root {
password crypt "$1XXXXXXXXXXXXXXXXXeK0xig1"
}
user admin {
password crypt "$1$0XXXXXXXXXXXXXXXG10"
group 500
home "/home/admin"
shell "/bin/false"
role administrator in all
}
dns {
nameservers 8.8.8.8
}
failover {
standby link down time 0
}
httpd {
authpamidletimeout 1200
maxclients 10
}
ltm {
snat packet forward enable
}
ntp {
timezone "Europe/Paris"
}
system {
gui security banner enable
mgmt dhcp enable - qe_102628What route does the node 192.168.37.1 take to reach 10.254.255.254 ?
(what is it's default gateway?) I also tried a network forwarding virtual server running 10.1-VE under vmware server on windows, and saw that it did not work. I tried the same thing on 10.1-VE running under fusion on a mac, and it did work. One thing I noticed that when I turned on a network forwarding virtual server running under fusion, I had a mac sudo window pop up asking me for a password while it said that one of the virtual machines was trying to monitor all traffic. Is this possibly something where an interface tries to go into promiscuous mode, but for some reason cannot while running under vmware server ?
