Forum Discussion
msaunders
Jun 22, 2011Nimbostratus
NON VIP related return traffic routing on LTM
Scenario:
VIP listens on TCP 9443
TCP 9443 traffic can come from the Internet and from the private LAN
I would also like to be able to manage each pool member individually using RDP, SMB, etc)
I need the pool members to see the actual IP address of the remote client.
Internet
|
|
|---------|
|Firewall|DMZ(192.168.1.1) |-Pool_hostA (192.168.1.4)
| |--------------|-------------------------------| -Pool_hostB (192.168.1.3)
|---------| |
| |
| |
Private Vlans |
172.16.1.0 | (VIP =192.168.1.10:9443 for pool hosts)
172.17.1.0 | (Self=192.168.1.2)
10.20.1.0 |--------------------------|
| F5 |
| -------------------------|
SNAT is not used
Set the default gateway of the pool hosts to be the self IP of the F5.
I know that TCP 9443 traffic will route properly.
If I add a network listener of type “Forwarding (IP)”, listening on all ports, and all protocols, for network 192.168.1.0/24.
Also enable this listener only on the DMZ vlan, and have it’s pool member be the IP address of the firewall interface.
Will this also allow an RDP connection DIRECTLY to a pool host from the private network to be routed correctly?
Will it mess up return traffic to the VIP from the pool?
2 Replies
Sort By
- I think you'd want the 192.168.1.0/24 forwarding virtual server to be enabled on the Private LAN VLAN if that's where clients are connecting from. Regardless, I don't think the network forwarding VS would have any impact on the host:port virtual server. LTM uses auto lasthop--not the routing table or another virtual server--to determine which interface to send responses back on.
- Moved private LAN to firewall interface above as it should be..
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects