Forum Discussion
Brerr
Nimbostratus
NimbostratusNewbie LTM lab setup question
I'm setting up a lab to do v simple LTM Load balancing, I have a small/medium knowledge of f5 and have got quite a way in but am struggling at what I think is the final hurdle
I have 2 VMS (192.168.33.20 and 21) Which I have successfully setup as nodes (they are recursive DNS servers), I have also setup a monitor which I can see traffic coming from the f5 (using tcpdump) doing DNS queries.
I have a virtual server 10.0.0.10 which is configured to use the two pool members mentioned above.
If I send DNS query traffic to 10.0.0.10 I can see the traffic appear on the nodes but they don't send traffic (DNS Answers) back because they don't have a route to 10.x
So I'm a little stuck on what to do next. I *think* it's something to do with SNAT and or Automap as I seem to remember having a similar issue years ago (the last time I setup a lab) but my memory is failing me (its the old age)
Can anyone point me in the right direction.
Apologies if there isn't enough detail here but it was difficult to work out to what level I needed to go to so if you need anything else let me know.
I *think* this is a fairly common/easy question though (hopefully)
Thanks
Brett
- Mayur_Sutare
MVP
What is default gateway configured on DNS servers??
If it is not F5 Ip then in your case, it will cause Assymetric routing issues. This is because DNS servers response will not go through F5 and session will be incomplete. So to avoid this situation, SNAT is the option that you are talking about. By keeping SNAT settings to automap, you can overcome Assymetric routing issues and response from DNS will go via F5.
Please enable SNAT and then check traffic.
Mayur
BrerrThanks for the reply really appreciated, that has helped my understanding a little but not solved my problem. The DNS servers as you guessed do not have a default gateway pointing at the f5s.
The virtual server is 10.0.0.10
The selfip is 10.0.0.100
The VM (linux1) is 192.168.33.20
I'm sending the dns query to 10.0.0.10 and can see it appearing on the vm as follows
Without SNAT
19:01:09.559313 IP 10.0.0.1.64843 > linux1.domain: 10311+ [1au] A? www.pwei.org.uk. (44)
With SNAT automap
19:03:07.364072 IP 10.0.0.101.50310 > linux1.domain: 47897+ [1au] A? www.pwei.org.uk. (44)
As you can see both of these are from 10.x which will not work as the VM will answer this down it's default gateway (Which is on a different interface on the VM)
I think the DNS query would have to come from the 192.168.33.0/24 network for this to work.
Thoughts?
Thanks
Brett
- Mayur_Sutare
I am happy to know that my earlier response helped you to get understanding about SNAT.
Moving ahead,
1. can you please provide configuration done on VS and also routes present on F5.
2. On your point which is related to having DNS query coming from subnet 192.168.33.0/24, this is one approach but one question here, is DNS servers knows F5 subnet (10.0.0.x). What are the routes on servers/VM?
Also as its Linux VM , can you please check IP tables on it if any?
Mayur
- Brerr
- Virtual server config pasted below:
show running-config ltm virtual
ltm virtual VS1-10.0.0.10-TCP {
description VS1-TCP
destination 10.0.0.10:domain
ip-protocol tcp
mask 255.255.255.255
pool Pool1
profiles {
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 4
}
ltm virtual VS1-10.0.0.10-UDP {
description VS1-UDP
destination 10.0.0.10:domain
ip-protocol udp
mask 255.255.255.255
pool Pool1
profiles {
udp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 3
}
Below is routing table on the f5 using netstat -nr
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 internal
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.33.0 0.0.0.0 255.255.255.0 U 0 0 0 external
192.168.59.0 0.0.0.0 255.255.255.0 U 0 0 0 HA
127.7.0.0 127.1.1.253 255.255.0.0 UG 0 0 0 tmm
127.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tmm_bp
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
The DNS Servers have two interfaces (one shown below as an example)
eth0: 192.168.1.20/24 gw 192.168.1.254 This is a bridged network on the laptop, connected also to the management interface of the f5 (192.168.1.110)
eth1: 192.168.33.20/24 no gw. This is a host only network on the laptop also connected to the f5 (192.168.33.10)
There is no iptables running on the linux VMs
Below is routing table on vm using netstat -nr
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
So as you can see the linux VMs do not know about 10.x
My aim is to get this working as simply as possible (its just a lab) but also in a way that would typically be done in production.
Thanks again for your help I really appreciate it.
Brett
- Mayur_Sutare
I do not see any issues with the VS configuration, but yes there is issue for reverse traffic from VM to the F5. You can achieve connectivity either by having one nic of VM in subnet 10.x or add Self IP on F5 which will be in subnet 192.168.33.x. And add required routes.
This way the return path for the traffic will be clear.
Mayur
