Forum Discussion

msaunders's avatar
Icon for Nimbostratus rankNimbostratus
Jun 22, 2011

NON VIP related return traffic routing on LTM



VIP listens on TCP 9443


TCP 9443 traffic can come from the Internet and from the private LAN


I would also like to be able to manage each pool member individually using RDP, SMB, etc)


I need the pool members to see the actual IP address of the remote client.











|Firewall|DMZ( |-Pool_hostA (


| |--------------|-------------------------------| -Pool_hostB (


|---------| |


| |


| |


Private Vlans | | (VIP = for pool hosts) | (Self= |--------------------------|


| F5 |


| -------------------------|





SNAT is not used


Set the default gateway of the pool hosts to be the self IP of the F5.


I know that TCP 9443 traffic will route properly.



If I add a network listener of type “Forwarding (IP)”, listening on all ports, and all protocols, for network


Also enable this listener only on the DMZ vlan, and have it’s pool member be the IP address of the firewall interface.



Will this also allow an RDP connection DIRECTLY to a pool host from the private network to be routed correctly?


Will it mess up return traffic to the VIP from the pool?

2 Replies

  • I think you'd want the forwarding virtual server to be enabled on the Private LAN VLAN if that's where clients are connecting from. Regardless, I don't think the network forwarding VS would have any impact on the host:port virtual server. LTM uses auto lasthop--not the routing table or another virtual server--to determine which interface to send responses back on.



  • Moved private LAN to firewall interface above as it should be..



    So, it sounds like listeners for the private VLAN subnets should be configured on the F5 vlan for RDP traffic sourced from a VLan on the private network to route back correctly if a pool host is accessed directly from a private vlan and not via a VIP on the F5 (the default gateway of the pool host is the F5, not the firewall interface)



    Is this correct?