Forum Discussion

Nitesh's avatar
Nitesh
Icon for Cirrus rankCirrus
Aug 20, 2021

Is InterVLAN Routing possible in F5

 

From below topology i want to ping from TEST_PC to firewall interface IP(172.16.3.254). From same TEST_PC i can ping WEB_SERVER. I am not sure why ping to firewall is not working. I have ping policy associated with Firewall interface. Reverse routing is in place on firewall pointing towards HA IP(172.16.3.100). Is InterVLAN routing even possible in LB ?

 

 

Thanks

application delivery
BIG-IP
BIGIPF5LTM
LTM
  • Mike757's avatar
    Mike757
    Aug 21, 2021

    Instead of "destination 172.16.3.254:any" use "0.0.0.0/0:any". This creates a full router without filter on source or destination IPs. The kernel's routing table is used to forward traffic.

  • Nitesh's avatar
    Nitesh
    Icon for Cirrus rankCirrus
    Aug 21, 2021

    It started working after doing below config. But i couldn't ping to 172.16.1.x from 172.16.2.x. I tried changing destination ip to 0.0.0.0/0 or 172.16.0.0/16 but it didnt work.

     

    ltm virtual Forwading_VS_MGMTPC {

       creation-time 2021-08-20:21:22:48

       destination 172.16.3.254:any

       ip-forward

       ip-protocol tcp

       last-modified-time 2021-08-21:10:00:37

       mask 255.255.255.255

       profiles {

           fastL4 { }

       }

       serverssl-use-sni disabled

       source 0.0.0.0/0

       source-address-translation {

           type automap

       }

       translate-address disabled

       translate-port disabled

       vs-index 6

    }

     

  • Nitesh's avatar
    Nitesh
    Icon for Cirrus rankCirrus
    Aug 21, 2021

    Ho to configure Forwading VIP such as i can ping any IP addresses ? Futhermore i believe AutoMap doesn't play any role in Forwading VS. I tried packet capture and could see same source and dest ip. Source IP not getting translated.

    • Mike757's avatar
      Mike757
      Icon for MVP rankMVP
      Aug 21, 2021

      Instead of "destination 172.16.3.254:any" use "0.0.0.0/0:any". This creates a full router without filter on source or destination IPs. The kernel's routing table is used to forward traffic.

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Aug 24, 2021

        This should work. F5 is a default-deny device meaning all traffic that does not match a Listener (Virtual Server in this case) or an active connection in table will be dropped.

         

        To route packets, as Mike said, you will need to configure a VS with target network as your destination address. This can be anything, from a single IP 172.16.1.1:any to a network 172.16.0.0/16:any to 0.0.0.0/0:any that will match all traffic. If you want to filter which clients can talk with said network, you can modify "source" and "VLAN" options so that only clients whose traffic comes from a specific netowrk or on a specific VLAN will match the Routing VS.

         

        AutoMap will NAT your Client IP with F5 self-ip address on the VLAN where traffic is routed. For non-connected networks you should specify routes in Network>Routes section. You can confirm which interface is used for egress with bash command "ip route get x.x.x.x"