Outbound DNS/ICMP traffic

Question

I am running LTM 9.4.8, I have returned with the basic questions. 
&nbsp;  
&nbsp; I have been having issues passing icmp &amp; DNS traffic internal-&gt; external, I have a default virtual server defined with: 
&nbsp; - Network:  0.0.0.0 
&nbsp; - Service: Any  
&nbsp; - Type: standard 
&nbsp; - Enabled Vlan: Internal 
&nbsp; - Pool: Defined with isp routers address 
&nbsp;  
&nbsp; After some reading it appears I need to apply the settings related to this solution to pass icmp: 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7366.html 
&nbsp;  
&nbsp; It appears I need to set the type of the virtual server to “Performance (L4)” and set protocols to “All Protocols” for icmp. 
&nbsp;  
&nbsp; Will this permit DNS traffic internal-&gt; external ? Does anybody have any recommendations for the default wildcard virtual server ? 
&nbsp;  
&nbsp; The default wildcard server will need to pass any traffic. 
&nbsp;  
&nbsp; I am able to pass other traffic without issues like http,https, etc…. 
&nbsp;  
&nbsp; Thanks … 
&nbsp;

l4l7_53191 · Answer

Robert: Change the type to performance l4, and don't forget to enable SNAT on this virtual server (automap or use a defined snat pool) so the BigIP will source the traffic correctly and you'll get your responses. 
&nbsp;  
&nbsp; Other than that this should work for you, for ICMP as well as DNS, etc. 
&nbsp;  
&nbsp; -Matt

robert_blair_75 · Answer

Matt, 
&nbsp;  
&nbsp; Also I was reading a document regarding setting up a default wildcard server just for FTP traffic.  
&nbsp;  
&nbsp; Defining FTP Profile as ftp, would you think this would be a good idea ?  
&nbsp;  
&nbsp; Typically we use ftp (21 - active/passive) and Sftp (22). 
&nbsp;  
&nbsp; Thanks … &nbsp;

l4l7_53191 · Answer

Personally, I really like the idea of specific forwarders for specific types of traffic. This allows you to manage things way more cleanly. BigIP will handle these types similar to a firewall: the most specific virtual server matches first. So you could so something like: 
&nbsp;  
&nbsp; 0.0.0.0:ftp 
&nbsp; 0.0.0.0:DNS 
&nbsp; 0.0.0.0:0 (everything else) 
&nbsp; etc. 
&nbsp;  
&nbsp; This would allow you to manage your outbound FTP in a specific way, vs. DNS, vs. whatever else. 
&nbsp;  
&nbsp; -Matt

robert_blair_75 · Answer

How would setup the virtual servers in regards to Type and Protocol ? 
&nbsp;  
&nbsp; Thanks … &nbsp;

l4l7_53191 · Answer

It's just like a regular virtual server, actually: it's an IP:port combination, but this time the port is a specific service. For example 0.0.0.0:53 would hook all DNS traffic, 0.0.0.0:25 all SMTP, etc. 
&nbsp;  
&nbsp; Then you can customize the l4 profiles, etc. if you need to. 
&nbsp;  
&nbsp; -Matt

Forum Discussion

Outbound DNS/ICMP traffic

7 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

S3 Traffic Optimization with F5 BIG-IP & NetApp StorageGRID

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

Lightboard Lessons: SSL Outbound Visibility

OCSP through an outbound explicit proxy

Decrypting TLS traffic on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS