Typically, we always use SNAT in our environment. I have a scenario now where I need to retain source IPs from clients thus disabling SNAT. Here is what I have configured thus far: 1) Created a new VS with a type of "Forwarding IP," a destination network of 0.0.0.0, and a mask of 0.0.0.0. The VS is bound to all ports. It also has a fastL4 profile assigned to it, and is bound to all VLANs and all protocols. 2) Defined a default route on the BIG-IP to a gateway that can reach all of our internal applicable networks. 3) Configured the server's default gateway as the floating self-IP on the corresponding VLAN. From the server, I can reach all external networks. However, I can not access the server FROM a remote network. I can however ping it, but all TCP connections fail (SSH, etc). What configuration am I missing here? My goal is to be able to access the server (which has the LTM defined as it's gateway) from any network via it's assigned IP address and not a VS. Is this possible? Thanks for any help!

Does a traceroute suggest it passes through the F5? Also, have you disabled port and address translation on the VS?

do the upstream routers know that traffic for the servers needs to be sent to the BIG-IP?

Jason, I'm assuming so since I can ping the host. I verified the ping is actually making it to the host by running tcpdump on it. Josh

icmp can be relayed by other gateways. Do you see the tcp request in a tcpdump on the BIG-IP or just the return traffic?

When I try to SSH from an "off-net" host, from the BIG-IP: tcpdump -i 0.0 -s0 host 172.21.101.71 (this is the IP of the off-net client/host = FC-RODNS01) 15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0 ... So, the BIG-IP is seeing the request. At the same time, I have a tcpdump running on the client (172.21.101.71/fc-rodns01): $ tcpdump host 172.26.100.223 (the IP of the server behind the BIG-IP = buildel564): 15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0 ... So, the off-net client seems to be ACKing requests from the server behind the F5. But, I'm not seeing anything else. Thanks, Josh

Routed VS SNAT Deployment

18 Replies

Josh_41258
Nimbostratus
Sep 06, 2013
This brings me to another question..

Would it be easier/best practices to carve out a new /24 for example, and directly connect it to the BIG-IP instead of attempting to use networks that are not directly connected? Essentially, make the BIG-IP the "router" for this dedicated network. Then, create one static route on our cores (which the BIG-IPs are connected to) for this new directly connected network?

Josh
JRahm
Admin
Sep 06, 2013
if you need the source IP to actually be the IP (instead of passed in a header) then the BIG-IP needs to be inline for all routing or you need to use npath routing.
nitass_89166
Noctilucent
Sep 06, 2013
15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0

i think the 2nd packet may be the one from bigip to server. if i am correct, the problem could be routing on server. in tcpdump, you may include "-e" to show mac address.
- JRahm
  Admin
  Sep 06, 2013
  a full second to pass through the BIG-IP? Looks like a second SYN attempt to me.
- nitass_89166
  Noctilucent
  Sep 06, 2013
  good point. thanks!

nitass

Employee

Sep 06, 2013

15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 
15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0

i think the 2nd packet may be the one from bigip to server. if i am correct, the problem could be routing on server. in tcpdump, you may include "-e" to show mac address.

JRahm
Admin
Sep 06, 2013
a full second to pass through the BIG-IP? Looks like a second SYN attempt to me.
nitass
Employee
Sep 06, 2013
good point. thanks!

Forum Discussion

Routed VS SNAT Deployment

18 Replies

Recent Discussions

Inquiry on F5's Maintenance Mode Feature for Pool Members

ASM Bot Defense JS and CSP

iRule interpretation assistance

CWE-20: Improper Input Validation

Errors in setup of BIGIP-NEXT CM VE on KVM

Related Content

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

Where are F5's archived deployment guides?

F5 BIG-IP deployment with OpenShift - per-application 2-tier deployments

Policy Routing in Multi-Arm Deployment

F5 BIG-IP deployment with OpenShift - platform and networking options