Forum Discussion
robert_blair_75
Nimbostratus
NimbostratusOutbound DNS/ICMP traffic
I am running LTM 9.4.8, I have returned with the basic questions.
I have been having issues passing icmp & DNS traffic internal-> external, I have a default virtual server defined with:
- Network: 0.0.0.0
- Service: Any
- Type: standard
- Enabled Vlan: Internal
- Pool: Defined with isp routers address
After some reading it appears I need to apply the settings related to this solution to pass icmp:
https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7366.html
It appears I need to set the type of the virtual server to “Performance (L4)” and set protocols to “All Protocols” for icmp.
Will this permit DNS traffic internal-> external ? Does anybody have any recommendations for the default wildcard virtual server ?
The default wildcard server will need to pass any traffic.
I am able to pass other traffic without issues like http,https, etc….
Thanks …
L4L7_53191Robert: Change the type to performance l4, and don't forget to enable SNAT on this virtual server (automap or use a defined snat pool) so the BigIP will source the traffic correctly and you'll get your responses.
Other than that this should work for you, for ICMP as well as DNS, etc.
-Matt
robert_blair_75Matt,
Also I was reading a document regarding setting up a default wildcard server just for FTP traffic.
Defining FTP Profile as ftp, would you think this would be a good idea ?
Typically we use ftp (21 - active/passive) and Sftp (22).
Thanks …- L4L7_53191Personally, I really like the idea of specific forwarders for specific types of traffic. This allows you to manage things way more cleanly. BigIP will handle these types similar to a firewall: the most specific virtual server matches first. So you could so something like:
0.0.0.0:ftp
0.0.0.0:DNS
0.0.0.0:0 (everything else)
etc.
This would allow you to manage your outbound FTP in a specific way, vs. DNS, vs. whatever else.
-Matt - robert_blair_75How would setup the virtual servers in regards to Type and Protocol ?
Thanks … - L4L7_53191It's just like a regular virtual server, actually: it's an IP:port combination, but this time the port is a specific service. For example 0.0.0.0:53 would hook all DNS traffic, 0.0.0.0:25 all SMTP, etc.
Then you can customize the l4 profiles, etc. if you need to.
-Matt - robert_blair_75Matt,
Sorry for the additonal questions (should be the last one) for the different VS I can just use "performance l4" / "all protocols" unless I run into issues.
Thanks ... - L4L7_53191I personally think it's best to stick with the protocols in question. For example, your FTP and SFTP forwarders should bind to TCP, your DNS should be all (as DNS can potentially fall back to TCP), etc.
In other words, if you're setting up a forwarder for a specific protocol, just match it with the LTM setup. Use performance l4 for these as well - should work great.
-Matt