Forum Discussion
CirrostratusNew self IP
Hello All,
I have a 3 interfaces external, internal1 and High Availability and I´m using F5 as a Proxy server. Untill now I had external traffic only and only one internal1 interface and traffic was NATed as F5 internal1 interface IP. Now I want to create new internal2 interface (because I need to create new virtual server in same network as internal2 interface, and it looks like it is needed ) and I´m not sure how it will work, because networks will be accessible via both internal interfaces. I guess it will work by this way please confirm or correct me:
Traffic to internal network (let´s say to 192.168.0.18) will go via internal (172.16.1.20) interface (becasue on F5 is setted up rule 192.168.0.0/16 go via 172.16.1.1 ) instead of traffic (let´s say to 192.168.1.25) which will go to the same network as is second internal2 interface (192.168.1.5).
- JRahm
Admin
this is not problematic at all. You have three functions in play here. Routing, PERMISSION to pass traffic, and translation. Let's take them one at a time
Routing
Your route table will establish where BIG-IP sends traffic to next hops. It acts like any router does, connected networks establish routes by default, any transit route will need to be defined (statically or dynamically if you have that need and licensed for it) One caveat: auto-last-hop. If this is enabled (and it is by default, traffic will be returned from where it came, so be aware if this is a security zone)
PERMISSION to pass traffic
This is where your virtual servers come into play. BIG-IP by default is a default-deny device, you have to explicitly allow traffic to flow. So traffic won't automatically flow between your internal zones even if routes are there, you need to configure it that way, and you can specify which vlans are allowed to source traffic on each virtual server.
Translation
You can translate the traffic from zone to zone if you need to, but you don't have to. Some security postures don't want any routes established on servers in DMZs except to push all traffic north to a security boundary. So you may need to snat traffic between internal zones, but if routes to BIG-IP are allowed, then transiation between internal zones may not be required.
f5beginnerHi Jason, thanks for answer, I have already created second interface internal2, but I have a routing problem and I will try to describe it:
internal2: 192.168.1.5
internal: 172.16.1.20
Virtual server IP: 1.1.1.1 (SNAT IP for virtual server is 172.16.1.10)
Destination Server IP (defined on virtual server) is: 192.168.1.25
I need to set up this:
Traffic from outside (which go to IP 1.1.1.1 and it is translated to 172.16.1.10) should go to 192.168.1.25 via interface internal (172.16.1.20).
Now traffic go by this way:
Traffic from outside (which go to IP 1.1.1.1 and it is translated to 172.16.1.10) go to 192.168.1.25 via interface internal2 (192.168.1.5) and back it goes via 172.16.1.20.
Route is of course defined via 172.16.1.20 , but server is in same netwrok as interface internal2 (192.168.1.0/24)
Thank you
- JRahm
hmm, not sure short of an iRule that you're going to be able to get traffic for 192.168.1.25 to be sent to a next hop on the non-connected network.
- f5beginner
Hi, all I need is to set up virtual server, which will have IP address from this range 192.168.1.0/24. Maybe I do not need second internal interface internal2 ? but when I delete it, it does not work. I have tested to set up SNAT(with ip from internal interface (172.16.1.21)) on virtual servers, which have connected pools with IPs in range 192.168.1.0/24, but problem is, that traffic still go via internal2 (192.168.1.5) interface, but back it goes via interface 172.16.1.20, so this looks it is not solution.
Simply I need to send all traffic (included pools in network 192.168.1.0/24) via 172.16.1.20, but I need to create Virtual server in network 192.168.1.0/24, which will have connected pool in same network.
- JRahm
you can apply multiple self IPs on same vlan, there is no requirement to isolate them to their own interfaces.
