For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_Kelsey_'s avatar
Michael_Kelsey_
Icon for Nimbostratus rankNimbostratus
Sep 18, 2007

LTM Multiple Default Routes?

I wish to establish multiple default routes in more or less a virtual router perspective. I have four ports on a LTM (C62a, running BigIP 9.4.0) partitioned into two private networks and two public n...
config
design
Michael_Kelsey_'s avatar
Michael_Kelsey_
Icon for Nimbostratus rankNimbostratus
Sep 21, 2007
I am hoping I can depend on NATs (not SNATs) to establish a publicly routable IP address for the pool members on the private side. The NAT mapping is 1:1.

 

 

What I need is for the NAT from each zone to egress out a particular gateway, not just the default gateway. I also need the NAT to accept inbound traffic ruling out SNATs.

 

 

So, taking for example some fictious IP addresses to illustrate my example, there are two firewalled zones (attached to a firewall with these two subnets plus an external Internet routable subnet) to which each of the public zones independently connect.

 

 

12.1.37.1 is the firewall interface/gateway for the first zone, which for the sake of clarity has a public/shared assigned IP of 12.1.37.28. 12.1.39.1 is the firewall interface/gateway for the second zone.

 

 

The respective private zone (only published on the BigIP) for the 12.1.37.0/24 subnet has a subnet of 192.168.37.0/24 that will have NATs (1:1) such that a server/pool member with an IP of 192.168.37.5 maps to 12.1.37.5.

 

 

I desire the traffic from the NAT 12.1.37.5 to always egress through the firewall gateway of 12.1.37.1.

 

 

Incoming requests to the pool members will be serviced by a virtual server, and let's assign 12.1.37.4 for the virtual server. Using the last hop feature, I am guaranteed that traffic inbound from the 12.1.37.1 gateway to the virtual server 12.1.37.4 and eventually the pool member 192.168.37.5 will always egress back the route it came, independent of the BigIP's default route, which say for the sake of clarity is 12.1.39.1.

 

 

I have this working properly for virtual servers and pool members when the traffic originates from the gateway address of 12.1.37.1 or when the source IP is in the same subnet as the public side of the 12.1.37.0/24 IP space. What I am missing is the behavior where 12.1.37.5's traffic (originating from the pool member 192.168.37.5) egresses through 12.1.37.1 given the BigIP's default route is established through 12.1.39.1.

 

 

Additionally, there are virtual servers on the 12.1.39.0/24 network and respective pool members in the 192.168.39.0/24 subnet. These pool members need to egress (when traffic originates from a 192.168.39.0/24 address) through the gateway 12.1.39.1.

 

 

I'm a bit at a loss as how to establish different routes for NATs based on the source subnet (or VLAN IP address subnet as per assigned through the BigIP user interface).

 

 

Thank you for the reply! I am excited to learn if there's way to accomplish this goal, even if it requires some elaborate reconfiguration for one of the private subnets.

 

 

Michael