Forum Discussion
SimonS_84965
Nimbostratus
NimbostratusPassing traffic between a VS and the downstream Node via another hop (firewall)
The topology that im looking to setup is that requests made between the BigIP and the downstream Node are routed via a firewall.
I have split out the vlans into seperate route domains as to have seperate default gateways .
What appears to be happening is that the BigIP is trying to route between the RouteDomains (vrfs/vrouters) instead of passing the traffic back to the default gateway for that route domain.
The following log line is observed
Connection rejected from IP 10.40.224.18%20 port 43574 to IP 10.126.153.41%241 port 80: One of the route domains is strict.
The route domains absolutely need to be strict as to force traffic back to the firewall .
The topology is as follows
Route domain 241 = Applications Tier
Route domain 2 = WAN facing network
The default route for route domain 241 10.126.153.1%241
With a self ip of 10.126.153.11%241
The topology is designed as to create the following traffic flow
Client --> BigIP "Wan Facing" route domain virtual server 10.126.130.40%20 ---> FW --> Node (10.126.153.41%24)
When i flip the VS over to type "Performance (HTTP)" connections work.. but it appears to be all happening on the BigIP and somehow not touching the firewall??
When i set it back to type "standard" i get the above log error and the client browser reports "Recv failure: Connection reset by peer"
:(
Im also new to BigIP/TMOS ...
Przemek_110000I'm new to BIGIP as well, but what you are trying to do I think can be achieved in this manner:
Client ---> VS (10.126.130.40%20) F5 (other vlan int with %20) -------- FW --------- (... %241) F5 (10.126.153.41%241) ----Node
of course you use two interfaces on F5 (but can be trunk and vlan interfaces), or you can try transparent firewall
in this manner you have FW separating route domains.
Im not sure if this is helpful or correct but I would think about it
regards
SimonS_84965Thanks guys for your help, its been a while since i updated this thread but everything is working well now and short of a few (unpublished) issues re: route domains and things like APM --> AD lookups etc things work great
I moved down the path of route domains and vlan sub-intefaces to have our BigIP platform sit in multiple network segments and pass traffic back to the correct gateway for that route domain (i.e. firewall interface in each vlan) to give the 'feel' of multiple BigIP deployments in the same datacentre. With new features in 11.3+ the ability to handle bandwidth restrictions per RD makes this a very compelling design i think.
Happy to provide specifics of configuration if the community think this will help.