Forum Discussion

SimonS_84965's avatar
Icon for Nimbostratus rankNimbostratus
Aug 20, 2011

Passing traffic between a VS and the downstream Node via another hop (firewall)

The topology that im looking to setup is that requests made between the BigIP and the downstream Node are routed via a firewall.


I have split out the vlans into seperate route domains as to have seperate default gateways .


What appears to be happening is that the BigIP is trying to route between the RouteDomains (vrfs/vrouters) instead of passing the traffic back to the default gateway for that route domain.



The following log line is observed



Connection rejected from IP port 43574 to IP port 80: One of the route domains is strict.



The route domains absolutely need to be strict as to force traffic back to the firewall .



The topology is as follows



Route domain 241 = Applications Tier


Route domain 2 = WAN facing network



The default route for route domain 241



With a self ip of




The topology is designed as to create the following traffic flow



Client --> BigIP "Wan Facing" route domain virtual server ---> FW --> Node (




When i flip the VS over to type "Performance (HTTP)" connections work.. but it appears to be all happening on the BigIP and somehow not touching the firewall??


When i set it back to type "standard" i get the above log error and the client browser reports "Recv failure: Connection reset by peer"







Im also new to BigIP/TMOS ...



2 Replies

  • I'm new to BIGIP as well, but what you are trying to do I think can be achieved in this manner:



    Client ---> VS ( F5 (other vlan int with %20) -------- FW --------- (... %241) F5 ( ----Node



    of course you use two interfaces on F5 (but can be trunk and vlan interfaces), or you can try transparent firewall



    in this manner you have FW separating route domains.



    Im not sure if this is helpful or correct but I would think about it



  • Thanks guys for your help, its been a while since i updated this thread but everything is working well now and short of a few (unpublished) issues re: route domains and things like APM --> AD lookups etc things work great


    I moved down the path of route domains and vlan sub-intefaces to have our BigIP platform sit in multiple network segments and pass traffic back to the correct gateway for that route domain (i.e. firewall interface in each vlan) to give the 'feel' of multiple BigIP deployments in the same datacentre. With new features in 11.3+ the ability to handle bandwidth restrictions per RD makes this a very compelling design i think.


    Happy to provide specifics of configuration if the community think this will help.