Forum Discussion
Jon_46044
Nimbostratus
NimbostratusProbably a fairly simplistic network route, but I'm confusing myself, so...
Just had some LTMs intalled in Active Passive setup. Got a test site setup using public IPs and SNAT. We'd like to change to private IP addresses, and use the LTMs to balance/access the site.
Currently, I moved a test server to the private network, and changed the member address, added Self IPs on that private network, and the VS works fine... problem is, I can't route to the world from the servers on the private network, and my monitoring/management server can't access the private network (I added a static route to that server, and it can ping the LTMs Self IPs on the private network, but not the server itself.
Using Deb's diagram (thanks Deb!)
72.x.x.x is Public
10.10.10.x is Private
I
/\
/ \------------------------ 72.x.x.62 (Management w/ Route to 10.10.10.0 Network)
/ \
72.x.x.57 (Shared)
--------- ---------
LTM1 LTM2
72.x.x.58 72.x.x.59
--- ---
10.10.10.1 10.10.10.2
--------- ---------
10.10.10.3 (Shared)
\ /
\ /
\ /
-------------
10.10.10.29 (Pool Member)I can host the site fine on the .29 server
I can ping .57, .58, .1, .3 from .29 (When LTM1 is Active)
I can ping .57, .58, .1, .3 from Management Server (When LTM1 is Active)
I cannot ping 10.10.10.29 from Management Server
I cannot ping Management Server from 10.10.10.29
I cannot access Internet from 10.10.10.29
Server .29 has Gateway set as 10.10.10.3 (had the same results with Gateway set to 72.x.x.57, VS still worked fine, but I could not route out to the internet via web browser/ping).
I don't want anything on the 72.x.x.x network to have access to the 10.10.10.x network (other than the Management server which has a Persistent Route), but I do need the 10.10.10.x network to get out to the world (Windows Updates, communication outside the 10.10.10.x network, etc).
My guess is I'm just missing a "route" on the LTMs... but staring at the Route Screen, I'm not 100% sure how to define it JUST for the 10 network, and not for the entire device...
Help! (I'm sure this is simply, its just beyond my scope of network understanding).
Thanks
johnsEmployee
What you are trying to do is to route through, as you said. LTM is a default-deny device like a firewall, and you need to configure what is known as "Forwarding Virtual Server". For example, in order to allow outbound access from the 10.10.10.29, you would need to configure 0.0.0.0 forwarding virtual server on port 0 enabled on the 10.10.10 VLAN, which will allow traffic to ANY destination using ANY destination port from hosts on that VLAN.
virtual route_thru {
ip forward
destination any:any
mask none
vlans internal enable
}
If you were to enable this on "All VLANS", which is the default, then any host on anywhere with route using the LTM as gateway will be able to route through. This may not be a good security practice, so enabling on a specific VLAN where traffic will be originated from is what I'd recommend.
In order to pass traffic from your management station to the server, you will need something similar. Since one can consider the 72.X.X network to be "unsecured", you will want to lock it down. I suggest creating a forwarding virtual server as above:
virtual route_72_thru {
ip forward
destination 10.10.10.0:any
mask 255.255.255.0
vlans external enable
}
This would allow only destination address matching 10.10.10.0/24 would be allowed from the external VLAN. You can also use Packet Filter or iRule (based on source of the management workstation) to further secure it.