Separating APM traffic from LTM traffic

So I assume the Vs we have for the VPN would also need the %1 correct? Right now we have our DMZ as the core default route (192.168.0.0) And we want to use our other network 10.80.x.x for the VPN.

You can set independent default routes to each Route Domain. We chose to use the Route Domain because when we had issues with how the Lease Pool routed back using the self-ip address. After we implemented the Route Domain we were able to route the traffic the way we wanted it to go without over complicating it. So for VPN connections, we have the VS on the main Route Domain (no %), but once the APM policy kicks in, we assign those users with the Route Domain and SNAT selections in the APM objects. It is a selectable item like adding a message box or AD Auth. After adding the item, you will have a drop down to select the Route Domain you want it reference. All the self-ips, and routes that will need to be associated with that Route Domain will need to have the % included. It might be easier to understand if you draw it out, top to bottom, how the VPN user would hit your VS, then process through the APM module and then access onto your network. Draw a line where the Route Domain Selection is made and everything above the line is on the normal route domain, and everything below is in the VPN Route Domain (% required). It took a bit of trial and error but we got it figured out. Good luck.

You can set independent default routes to each Route Domain. We chose to use the Route Domain because when we had issues with how the Lease Pool routed back using the self-ip address. After we implemented the Route Domain we were able to route the traffic the way we wanted it to go without over complicating it. So for VPN connections, we have the VS on the main Route Domain (no %), but once the APM policy kicks in, we assign those users with the Route Domain and SNAT selections in the APM objects. It is a selectable item like adding a message box or AD Auth. After adding the item, you will have a drop down to select the Route Domain you want it reference. All the self-ips, and routes that will need to be associated with that Route Domain will need to have the % included. It might be easier to understand if you draw it out, top to bottom, how the VPN user would hit your VS, then process through the APM module and then access onto your network. Draw a line where the Route Domain Selection is made and everything above the line is on the normal route domain, and everything below is in the VPN Route Domain (% required). It took a bit of trial and error but we got it figured out. Good luck.

Did you have to setup an additional VLAN? Right now we have have two VLANS (DMZ and Server). For LTM use, we need the Server VLAN for for load balancing. However, when I go to create a default route, it says the gateway I want to use is not directly connected to an interface. When I created the route domain, it won't let me select the Server VLAN since it is used by the DG. We tried creating a forwarding virtual server that the source is our Network Lease Pool that is forwarded to the DG IP and is listening on all ports. It is enabled on the Server VLAN (which we want) and even configured a SNAT Pool that is a server vlan self ip. We just can't get this to work.

sorry if this revives an old thread, but thanks Kyle, that was the explanation i needed!

 

i had exactly the same requirements, to segregate our VPN client traffic off to another interface/vlan so that we can pump it through a firewall to filter user access, we've grown by acquisition so our traditional one size fits all approach to VPN access is well past it's use-by date. but didn't want to interfere with our generic self-ip that we use DNS (GTM) which sits on our server VLAN.

 

to slightly answer Grayson's question and hopefully help anyone else getting stuck - yes, create a new VLAN interface - i had an "internal" and "external" vlan previously, then created a new "vpn_user_subnet" vlan (tagged on the same interface as the internal vlan)

 

i then created a new route domain (RD_VPN) and put the vpn_user_subnet in it then a new self-ip (i'm not 100% sure if this is required?) RD_VPN_1 with 10.1.1.253%1, on the vpn_user_subnet VLAN and a corresponding 10.0.0.0%1 / 255.0.0.0 route via 10.1.1.254%1

 

that's the interface/route/vlan side of things, once you've done that you need to add a "route domain and SNAT selection" item to your APM policy which selects the correct route domain & snat (i use 'none') and off you go...

 

it's been handy because i can now turn on proxy-arp for the IP lease pool, previously the IP lease pool for the VPN clients was an IP range that the BIG-IP interface didn't actually sit in, now i can have the VPN clients as a proper extension of the network so they're reachable for troubleshooting.

 

I am glad that you got something out of it. Since then we had an issue with our users support staff being able to ping/RDP to the VPN clients. We found this post which fixed those issues. By adding the tunnel (Network>Tunnels>Tunnel List) to that route domain, we are now able to ping/RDP to the client machines.

 

https://devcentral.f5.com/s/feed/0D51T00006i7ZVPSA2

 

I am glad that you got something out of it. Since then we had an issue with our users support staff being able to ping/RDP to the VPN clients. We found this post which fixed those issues. By adding the tunnel (Network>Tunnels>Tunnel List) to that route domain, we are now able to ping/RDP to the client machines.

 

https://devcentral.f5.com/s/feed/0D51T00006i7ZVPSA2