Forum Discussion
Randy_Johnson_1
Nimbostratus
NimbostratusQuestions regarding a 'WildCard Virtual Server'
Questions regarding a 'WildCard Virtual Server'
Group -
I'm trying to set up a wildCard Virtual Server, and I'm a bit confused.
My use case is this -
Our LTM sits inside our firewall.
We load balance a pool of webservers behind the LTM, with virtual servers defined in the VLAN on the External side of the LTM, the web servers use the LTM as thier 'default gateway'
We use 'nonroutable' addresses inside the firewall.
We have changed the applications hosted on our load balanced web servers so that they need to make https requests to resources out on the Internet.
The simplest way to do this (reading the manual chapter on Configuring Virtual Servers at http://support.f5.com/kb/en-us/prod...ml1193196 )
would seem to be to configure a 'Wildcard virtual server'.
I have created the 'wildcard' server, as below-
virtual vs_Wildcard_Forwarding {
ip forward
snat automap
destination any:any
mask 0.0.0.0
ip protocol tcp
profiles fastL4 {}
}
But now I need to configure a 'pool of transparent devices' ?
Are these 'transparent devices' my firewall, or the external sites to which I need to direct requests from my web servers ?
thanks for any advice !!
mikand_61525You mean that your webservers will be srcip for requests going to the internet?
And that your setup is following?
Internet <-> Firewall (NAT) <-> F5 <-> Webservers
Well regarding "wildcard" server thats mainly used for when one want the F5 to act as a regular L3-device (router, think Cisco 6500 or whatever). That is because the F5 is default block. If the packet hitting the F5 cannot be matched to any VServer (Local Traffic Manager configuration) the packet will be dropped.
For information on how to setup your F5 to act as a router: http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/2160861/showtab/groupforums/Default.aspx2236528 (look at my postings from 01/14/2012).
So sure, you can either use:
1) Wildcard (for routing)
+
2) Specific VServer for the inbound connections (someip:TCP80)
no need for snat automap
OR you can let F5 be part of your security infrastructure and only setup:
1) Wildcard for outgoing traffic (like 0.0.0.0:443 and even limit this to the vlan where your webservers sits)
+
2) Specific VServer for inbound connections (someip:TCP80) and also limit this to the vlan where your firewalls sits.
nitassEmployee
if bigip's default route is firewall, ip forwarding virtual server will work fine.
however, if there is no default route on bigip or you want to specific gateway for traffic (e.g. there are a number of gateway available), you may use standard or performance layer 4 virtual server.
this is standard virtual server.
[root@ve1023:Active] config b virtual vs_Wildcard_Forwarding list
virtual vs_Wildcard_Forwarding {
snat automap
pool gateway
destination any:any
mask 0.0.0.0
ip protocol 6
}and this is performance layer 4 virtual server.
[root@ve1023:Active] config b virtual vs_Wildcard_Forwarding list
virtual vs_Wildcard_Forwarding {
snat automap
pool gateway
destination any:any
mask 0.0.0.0
}- mikand_61525Wouldnt it be bad to use "snat automap" in this situation since the firewall is already performing the nating?