Forum Discussion

omar05_132659's avatar
omar05_132659
Icon for Nimbostratus rankNimbostratus
Aug 30, 2013

Outbound IPs for mail and navigation traffic

Hello friends,

 

Yes, I know it is a basic question, but I need help due to I am new in F5 deployments. Please..! I'd appreciate any help you provide.

 

I was given two pools of public IPs. One pool for load balancing inbound and outbound mail traffic, but this traffic must leave the F5 (towards the Internet) with one of the IPs which are part of the first pool, each time, in round robin load balancing way (PTR Records will be configured on the DNS). On the other hand, F5 must NAT the outbound Internet navigation traffic of the users. I mean, F5 will give a public IP of the second pool (each time, in a round robin way) to a user who wants to sail in the Internet. In this way, when a user asks for his real IP, Google will give him one of the IPs of the second pool. Are those deployments possible?

 

I suppose I can do it by using SNAT, but I am not sure about it. I have configured the virtual servers to receive incoming mail traffic. I want to create a SNAT pool to attach it to those virtual servers which are managing incoming traffic, but how BIG IP would differ among incoming and outgoing traffic? What about navigation traffic?

 

Hope you could give me some guidance. Please, I will really appreciate any help.

 

Thanks

 

Omar

 

  • You can have a the second SNAT Pool with your three public IP addresses attached to a 0.0.0.0:* Virtual listening on your internal VLAN to handle outgoing traffic.

     

    If you only have on mail server then you will only have one virtual to point to it. Unless you need a mail server endpoint in each ISP VLAN? Then just create three virtual's, each attached to an external ISP's VLAN, using the same mailserver pool. That handles the incoming traffic. For outbound traffic from the mail server use a 0.0.0.0:25 virtual on the inside VLAN with the first SNAT pool.

     

  • Without a better picture of what the F5 installation looks like it is difficult to give a detailed response. Is your F5 the default path out of your network to the Internet? Where is your mail server, in the DMZ? Are there multiple mail servers and do you want to load balance to them from the Internet or you just want to pass mail onto them individually?

     

    The simplest suggestion is to create virtual's for each direction, eg apply them to the relevant listening VLAN only. Then you can control which SNAT pools are applied as the traffic leaves the F5. But again this depends if you have multiple interfaces configured, eg seperate inbound, outbound, DMZ?

     

    Given you have a requirement for outbound traffic then the 0.0.0.0:* virtual listening on the inside VLAN would use SNAT pool 2 and the 0.0.0.0:25 virtual listening on the DMZ VLAN would use SNAT pool 1. However you would have to reserve at least a few public IP addresses for virtual servers on the outside.

     

  • Hello Kevin,

     

    Really, thanks a lot for your attention.

     

    Yes, my F5 is facing the Internet for inbound connections and it is the default path out of my network to the Internet. I have three ISPs, so I have to load balance inbound and outbound connections across them. The pool of public IPs I mentioned are a set of three IPs, one IP for each ISP. I have four VLANs (three external for the ISPs and one internal for the firewall), but I connected just two physical interfaces of my F5. One interface, which contains three VLANs regarding to the ISPs, is connected to the Internet switch. The other interface, which is managing the internal VLAN, is connected to the firewall. There is just one mail server which is located behind the firewall. Indeed, my F5 must load balance the incoming mail across the three ISPs, but it must not change the source IP due to the firewall is performing spam checking.

     

    Is there any chance to use the same IP pool to load balance incoming and outgoing mail traffic besides applying SNAT outbound? I was provided just three IPs to load balance mail traffic.

     

    I suppose I can apply what you say in the last paragraph. But I have just one internal VLAN. It is better to have two? In this case, does it assure that any user would be given a load balanced public IP to navigate?

     

    Thanks in advance for your response. Really, I appreciate it.

     

    I remain attentive

     

    Best Regards,

     

    Omar

     

    • omar05_132659's avatar
      omar05_132659
      Icon for Nimbostratus rankNimbostratus
      What about having two mail servers? I mean, one mail server is going to send and receive emails by using a set of three IPs. The other is just going to send. In the second case I would configure a virtual server 0.0.0.0:25 listening to the internal VLAN with a SNAT associated. But, what about the first one. I suppose I cannot have two 0.0.0.0:25 virtual servers with different VLANs and resources. Appreciate your help Regards
  • You can have a the second SNAT Pool with your three public IP addresses attached to a 0.0.0.0:* Virtual listening on your internal VLAN to handle outgoing traffic.

     

    If you only have on mail server then you will only have one virtual to point to it. Unless you need a mail server endpoint in each ISP VLAN? Then just create three virtual's, each attached to an external ISP's VLAN, using the same mailserver pool. That handles the incoming traffic. For outbound traffic from the mail server use a 0.0.0.0:25 virtual on the inside VLAN with the first SNAT pool.

     

  • Hello,

     

    I have already configured a three-specific IP(one of each ISP) SNAT pool and associated it to a 0.0.0.0:0 virtual server which will handle outbound user navigation traffic. When a user tried to sail in the Internet, he received a different public IP each time he asked "What is mi IP". But, those public IPs were the Self IPs I have configured in the F5 Link Controller. It seems that the SNAT pool I associated (specific public IPs for user navigation) is not taking the effect because he is receiving the Self IPs instead. Where could be the error? It is posible such conf?

     

    I guess the same will happen when I try to send outbound mail traffic across the three ISPs by using specific IPs.

     

    Hope you could help me. I'll really appreciate it.

     

    Regards

     

    Omar