For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SimonS_84965's avatar
SimonS_84965
Icon for Nimbostratus rankNimbostratus
Aug 20, 2011

Passing traffic between a VS and the downstream Node via another hop (firewall)

The topology that im looking to setup is that requests made between the BigIP and the downstream Node are routed via a firewall.

 

I have split out the vlans into seperate route domains as to have seperate default gateways .

 

What appears to be happening is that the BigIP is trying to route between the RouteDomains (vrfs/vrouters) instead of passing the traffic back to the default gateway for that route domain.

 

 

The following log line is observed

 

 

Connection rejected from IP 10.40.224.18%20 port 43574 to IP 10.126.153.41%241 port 80: One of the route domains is strict.

 

 

The route domains absolutely need to be strict as to force traffic back to the firewall .

 

 

The topology is as follows

 

 

Route domain 241 = Applications Tier

 

Route domain 2 = WAN facing network

 

 

The default route for route domain 241 10.126.153.1%241

 

 

With a self ip of 10.126.153.11%241

 

 

 

The topology is designed as to create the following traffic flow

 

 

Client --> BigIP "Wan Facing" route domain virtual server 10.126.130.40%20 ---> FW --> Node (10.126.153.41%24)

 

 

 

When i flip the VS over to type "Performance (HTTP)" connections work.. but it appears to be all happening on the BigIP and somehow not touching the firewall??

 

When i set it back to type "standard" i get the above log error and the client browser reports "Recv failure: Connection reset by peer"

 

 

 

:(

 

 

Im also new to BigIP/TMOS ...

 

 

basic
getting started
new to f5

2 Replies

  • Przemek_110000's avatar
    Przemek_110000
    Icon for Nimbostratus rankNimbostratus
    Sep 21, 2011
    I'm new to BIGIP as well, but what you are trying to do I think can be achieved in this manner:

     

     

    Client ---> VS (10.126.130.40%20) F5 (other vlan int with %20) -------- FW --------- (... %241) F5 (10.126.153.41%241) ----Node

     

     

    of course you use two interfaces on F5 (but can be trunk and vlan interfaces), or you can try transparent firewall

     

     

    in this manner you have FW separating route domains.

     

     

    Im not sure if this is helpful or correct but I would think about it

     

     

    regards
  • SimonS_84965's avatar
    SimonS_84965
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2013
    Thanks guys for your help, its been a while since i updated this thread but everything is working well now and short of a few (unpublished) issues re: route domains and things like APM --> AD lookups etc things work great

     

    I moved down the path of route domains and vlan sub-intefaces to have our BigIP platform sit in multiple network segments and pass traffic back to the correct gateway for that route domain (i.e. firewall interface in each vlan) to give the 'feel' of multiple BigIP deployments in the same datacentre. With new features in 11.3+ the ability to handle bandwidth restrictions per RD makes this a very compelling design i think.

     

    Happy to provide specifics of configuration if the community think this will help.