For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ian_Cartwright1's avatar
Ian_Cartwright1
Icon for Nimbostratus rankNimbostratus
Nov 29, 2011

Link Controller and outbound NAT

Hello All,

 

 

I've inherited an F5 Link Controller that is being used to load balance two ISPs. It is not doing any inbound load balancing at all (no Listeners or Wide IPs are configured). There are three Load Balancing Pools: default_gateway_pool for round robin load balancing across both ISPs, prefer_ISP1 to force traffic to ISP1 (but fail back to ISP2 if necessary), and prefer_ISP2, which does just the opposite of prefer_ISP1. I also have four virtual servers, one for load balancing general outbound traffic (wildcard 0.0.0.0/0, all ports) that points to default_gateway_pool, and three other virtual servers that are wildcards for specific ports (0.0.0.0/0 port 22, etc.) and point to one of the other pools to force traffic to one ISP or the other.

 

 

 

Right now, all the virtual servers have Address Translation and Port Translation enabled and no SNAT pool assigned. All the pools have Allow SNAT and Allow NAT enabled.

 

 

 

I need to turn NAT off for all outbound traffic (the traffic is already NATed at the firewall inside the LC and needs to keep the addresses from the firewall, and yes they are public addresses).

 

 

 

My main question is what happens of traffic goes out one one ISP and comes back in on the other? Will the LC drop the traffic (like a firewall) or will it pass it back to the source IP address (like a router)?

 

 

 

Thanks.

 

config
design

3 Replies

  • FredR_30652's avatar
    FredR_30652
    Icon for Nimbostratus rankNimbostratus
    Dec 01, 2011
    Hi Ian,

     

     

    I am sure i am missing something but if you "talk" with public address from ISP1 why the response will come on public address from ISP2 ?

     

    If the tcp connection is establish beetween 50.50.50.10 (client , one of yours public address) and 220.200.10.10 (server somewhere in the internet) , i can't see a reason why 220.200.10.10 will send traffic to a diiferent IP.

     

     

    Regards,

     

     

    Fred
  • Ian_Cartwright1's avatar
    Ian_Cartwright1
    Icon for Nimbostratus rankNimbostratus
    Dec 01, 2011
    It wouldn't, but if the packets going from 50.50.50.10 to 220.200.10.10 go out through ISP1, the response packets coming back from 220.200.10.10 to 50.50.50.10 could potentially come back through ISP2 (which is a different interface on the Link Controller). Would those response packets be dropped because they are seen on a different interface? That's what a firewall would do.

     

     

    Thanks.

     

     

     

    Ian

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 01, 2011
    Hi Ian,

     

     

    I think you can set the db key, connection.vlankeyed, to disabled to prevent LTM from dropping responses which come back on a different interface than they left on.

     

     

    bigpipe db Connection.VlanKeyed disable

     

     

    Aaron