LTM Routing - How to bypass a directly connected interface

The hosts on vlan 20 could be configured with a route for vlan 10 to use a next hop of your LTM rather than going through the firewall. Is this a possibility in your environment?

Unfortunately that's not a scalable option for us as there are actually many hosts on VLAN20. Plus, there are many other VLANs as well in my real environment - I just scaled this down for an example.

Unsure if it'll work, but you can try something like this iRule. Add it to your forwarding virtual server on vlan 10 and replace the MAC address listed with that of your firewall on vlan 30:

when CLIENT_ACCEPTED {
 nexthop external 01:23:45:ab:cd:ef
}

Cory - this looks like it could be a promising option...Let me do some testing and I will get back to you. Thanks much. Tom

Tom,
     I just solved for a similar issue in my environment.  I added the below iRule like Tom suggested to my Forwarding IP (also below) that sends traffic out of the private VLAN (your VLAN10).  I used the IP instead of MAC for nexthop since the default gateway of my LTM is an HSRP router pair.  This PBR (policy-based-routing) iRule was the best answer for us because I have about 7 directly connected VLANs.  These are used for 2-arm SNAT configurations to servers that exist on routed subnets that most of our LB traffic uses.  Now tcpdumps show my traffic flows entering/leaving my private VLAN symmetrically and using the routed network even for directly-connected VLANS.
     My private VLAN is only used when my application guys MUST have the clients' true IP.  It is not part of my routed network.  To allow for management and non-load-balanced traffic I am distributing a static route to this VLAN from the same routers that the LTM use as its default gateway.  This worked fine until a private VLAN host needed to talk to a locally connected VLAN or the traffic flow crossed a firewall.  My forwarding VS is only listening on the private VALN and has the private VLANs source subnet defined so it will only apply to traffic leaving host in that VLAN.

Forwarding IP vs:

    ltm virtual vsfwd_LTM-ServerLAN_out {
        description "Wilcard virtual server to allow LTM-ServerLAN traffic out to routed network"
        destination 0.0.0.0:any
        ip-forward
        mask any
        profiles {
            pr_LTM-ServerLAN_out_fastL4 { }
        }
        rules {
            ir_routed-traffic-nexthop
        }
        source 10.1.1.0/24
        source-port preserve-strict
        translate-address disabled
        translate-port disabled
        vlans {
            *{Private-LAN}*
        }
        vlans-enabled
        vs-index 30
    }

iRule:

ltm rule ir_routed-traffic-nexthop {
    when CLIENT_ACCEPTED {

  if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] }   {
     nexthop *{external VLAN with gateway}* 10.2.2.1
    }
}
}    

Duane and Cory - Thanks to you both...very good stuff.

My preliminary testing looks good. I'll follow up and let you know how it goes.

Hi,

I wonder why using Last Hop Pool (with pool containing firewall from VLAN 30) configured on Forwarding IP VS will not work? After reading plenty of docs it looks for me that this method can be used to override any routes, so should as well override entries for directly attached networks. Am I wrong?

Well, I have to be wrong, after some test I am pretty sure that LHP can only be used for returning traffic not original traffic, sorry for messing around.

Piotr