msaunders
Jun 22, 2011Nimbostratus
NON VIP related return traffic routing on LTM
Scenario:
VIP listens on TCP 9443
TCP 9443 traffic can come from the Internet and from the private LAN
I would also like to be able to manage each pool member individually using RDP, SMB, etc)
I need the pool members to see the actual IP address of the remote client.
Internet
|
|
|---------|
|Firewall|DMZ(192.168.1.1) |-Pool_hostA (192.168.1.4)
| |--------------|-------------------------------| -Pool_hostB (192.168.1.3)
|---------| |
| |
| |
Private Vlans |
172.16.1.0 | (VIP =192.168.1.10:9443 for pool hosts)
172.17.1.0 | (Self=192.168.1.2)
10.20.1.0 |--------------------------|
| F5 |
| -------------------------|
SNAT is not used
Set the default gateway of the pool hosts to be the self IP of the F5.
I know that TCP 9443 traffic will route properly.
If I add a network listener of type “Forwarding (IP)”, listening on all ports, and all protocols, for network 192.168.1.0/24.
Also enable this listener only on the DMZ vlan, and have it’s pool member be the IP address of the firewall interface.
Will this also allow an RDP connection DIRECTLY to a pool host from the private network to be routed correctly?
Will it mess up return traffic to the VIP from the pool?