Forum Discussion
sketchie_85427
Nimbostratus
NimbostratusSecure inter-vlan routing
External firewall routes to LTM for 6 application vlans that are behind the LTM. The LTM is the def gateway for each of the 6 vlans and it def routes to the firewall. Typically I would have an IP Forwarding VS to enable routing and if no direct inter-vlan traffic is required could filter so that no intervlan communications were allowed.
But the client wants to allow some inter-vlan traffic but would like to force all traffic from each of the 6 internal vlans up to the firewall for all routing decisions so that the firewall is used to secure the inter-vlan traffic.
Can you force all internal vlans directly connected on the LTM to go up to external firewall to secure local traffic between vlans?
nitassEmployee
is route domain feature applicable?
Configuring Route Domains
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_route_domains.html
HamishCirrocumulus
I do this with a dedicated network virtual server for the vlansvthat need to go via a firewall. You could also use routing domains to seggregate the two environments but to force the firewall for inter dmz traffic you need that vs...
H
Ernesto_27816Hi Hamish,
Can you explain how configure the vs for implementing this scen?. I have same scen but i am not capable of find the configure vs for they work. I wan't configure route domains or iRules if is posible.
Regards- HamishFor the network VS's? Basically to route across the BigIP you need a VS to do the forwarding, In order to make all inter-dmz traffic pass through the firewall, you have 2 VS's to manage the two interfaces used to route to/from a DMZ.
The VS that routes traffic TO the DMZ should only be enabled on the vlan facing the firewall. Then the default VS is enabled only on the DMZ's themselves. And it should be of type STANDARD instead of forwarding. The default pool should have 1 pool member. The firewall itself.
So when traffic comes from a DMZ, it hits the default VS (The only network VS enabled on the DMZ). It forwards traffic to the default pool. WHich is the firewall. The firewall processes the traffic. If allowed, it sends the traffic BACK to the BigIP. That hits the VS for the DMZ (Enabled on the firewall facing VLAN) and is forwarded using the routing table.
H 
sketchie_85427Thanks for your help!! As suggested, I was able to provide the users requested security with dedicated virtual servers. On the outside interface I used a typical IP Forwarding virtual, then on inside vlans I applied virtual servers such as the following to forward to my outside firewall. A separate virtual for each vlan, all using same pool to the firewall.
pool IP_Forwarding_FW06 {
monitor all Gateway_ICMP_30sec
members 1.1.1.1:any {}
}
virtual IP_Forward_v454 {
pool IP_Forwarding_FW06
destination any:any
mask 0.0.0.0
vlans Msg-v454 enable
}
virtual IP_Forward_v462 {
pool IP_Forwarding_FW06
destination any:any
mask 0.0.0.0
vlans ADFS-v462 enable
}
virtual Generic_IP_Forwarding_virtual_server {
ip forward
destination any:any
mask 0.0.0.0
vlans {
External-v342
Heartbeat
} enable
}
Added to that an irule to limit which of the internal networks were allowed to call virtual servers. This is to separate out two groups of networks. Dev source nets can call dev virtuals, and prod source nets can call prod vips, but not vice-versa.
Apply the Prod_FW irule to Production virtuals.
rule Prod_FW {
when CLIENT_ACCEPTED {
log local0. "Prod_FW: New Connection From [IP::client_addr]:[TCP::client_port]"
if { [class match [IP::client_addr] equals Dev_NETS] } {
log local0. "Prod_FW: IP Address matched, dropping"
table incr -subtable FW_stats [IP::client_addr]
log local0. "Prod_FW: [IP::client_addr] hit this rule [table lookup -subtable FW_stats [IP::client_addr]] times"
reject
}
}
}