Forum Discussion
Oliver_Kohtz_68
Nimbostratus
NimbostratusLoadbalancing between Vlans
Hello,
we are migrating to two big-ip´s with version 9.4.3
We want to connect multiple dmz-zones, for which the loadbalancer should provide virtual servers.
The dmz-zones are connectet throug the loadbalancer to the firewall with an intermediate network for each dmz-zone. The loadbalancer provides routing from the firewall to the connected real-servers.
Now we want, that real-servers from dmz-1 can talk to vservers in dmz-2. But we want the traffic from dmz-1 to dmz-2 to go via the intermediate network to the firewall and then to the vserver via intermediate network for dmz-2 to the loadbalancer.
Is the only possibility to nat the vserver-address on the firewall, so that the real-server in dmz-01 has to connect to the vserver-nat-address?
Thanks for your help
James_ThomsonEmployee
Should a server in dmz-zone1 be able to talk directly to a server in dmz-zone2? Or should all communication from dmz-zone1 to zone2 go through a BIG-IP virtual server?- Oliver,
I think you should create a network Virtual Server listening on vlan dmz-1 with a pool which contains firewall IP address in intermediate network and deactivate Network and Port translation in this VS. "Destination" field in your VS should contains dmz-2 IP subnet and network mask. So all communications coming from dmz-1 to dmz-2 IP subnet will be routed without IP and port translation to firewall.
Hope this help.
Regards.
Nicolas 
nekau_65641I am very new to the F5 loadbalancing, but it seems to be you would be circumventing your security thay you have put in place by allowing dnz1 and dmz2 to talk directly to each other.
How would you be maintaining your security in this case?- DMZ1 and DMZ2 are not allowed to talk each other directly : all traffic will be intercepted by VS and sent to firewall.
Nicolas
