Link Controller and outbound NAT

Question

Hello All,&nbsp;&nbsp;I've inherited an F5 Link Controller that is being used to load balance two ISPs. It is not doing any inbound load balancing at all (no Listeners or Wide IPs are configured). There are three Load Balancing Pools: default_gateway_pool for round robin load balancing across both ISPs, prefer_ISP1 to force traffic to ISP1 (but fail back to ISP2 if necessary), and prefer_ISP2, which does just the opposite of prefer_ISP1. I also have four virtual servers, one for load balancing general outbound traffic (wildcard 0.0.0.0/0, all ports) that points to default_gateway_pool, and three other virtual servers that are wildcards for specific ports (0.0.0.0/0 port 22, etc.) and point to one of the other pools to force traffic to one ISP or the other.&nbsp;&nbsp;&nbsp;Right now, all the virtual servers have Address Translation and Port Translation enabled and no SNAT pool assigned. All the pools have Allow SNAT and Allow NAT enabled.&nbsp;&nbsp;&nbsp;I need to turn NAT off for all outbound traffic (the traffic is already NATed at the firewall inside the LC and needs to keep the addresses from the firewall, and yes they are public addresses).&nbsp;&nbsp;&nbsp;My main question is what happens of traffic goes out one one ISP and comes back in on the other? Will the LC drop the traffic (like a firewall) or will it pass it back to the source IP address (like a router)?&nbsp;&nbsp;&nbsp;Thanks.&nbsp;

fredr_30652 · Answer

Hi Ian, 
&nbsp;  
&nbsp; I am sure i am missing something but if you "talk" with public address from ISP1 why the response will come on public address from ISP2 ? 
&nbsp; If the tcp connection is establish beetween 50.50.50.10 (client , one of yours public address) and 220.200.10.10 (server somewhere in the internet) , i can't see a reason why 220.200.10.10 will send traffic to a diiferent IP. 
&nbsp;  
&nbsp; Regards, 
&nbsp;  
&nbsp; Fred

ian_cartwright1 · Answer

It wouldn't, but if the packets going from ~~50.50.50.10 to~~ ~~220.200.10.10 go out through ISP1, the response packets coming back from~~ ~~220.200.10.10 to~~ 50.50.50.10 could potentially come back through ISP2 (which is a different interface on the Link Controller). Would those response packets be dropped because they are seen on a different interface? That's what a firewall would do.

~~Thanks.~~

~~Ian~~

hooleylist · Answer

Hi Ian, 
&nbsp;  
&nbsp; I think you can set the db key, connection.vlankeyed, to disabled to prevent LTM from dropping responses which come back on a different interface than they left on. 
&nbsp;  
&nbsp; bigpipe db Connection.VlanKeyed disable 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Link Controller and outbound NAT

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Anchor Link Redirect

JWT authorization with NGINX Ingress Controller

Egress control for Kubernetes using F5 Distributed Cloud Services

Persisting SNAT Addresses in Link Controller Deployments

Distributed caching of authentication requests with NGINX Ingress Controller

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS