Forum Discussion

Comunicaciones2's avatar
Comunicaciones2
Icon for Nimbostratus rankNimbostratus
Feb 18, 2014

SMTP Load Balancing without SNAT Outbound traffic problems

Hello,

 

I’m sorry because this is an issue that it has been reviewed in the forum, but in our case it doesn’t work and we don`t know what is the problem. We have two STMP VLANs, internal (192.168.26.0/24) and external (192.168.227.0/24).

 

In the external we have a standard virtual server (192.168.227.11) with a SMTP pool with two servers in the internal VLAN (192.168.26.11 and 192.168.26.12). We have SNAT Automap disable because we want to keep the original source IP, so SMTP servers have its default gateway on F5 (192.168.26.1). This works OK.

 

The problem is about outbound traffic. For example, when SMTP server tries to send outbound traffic to Internet or Exchange servers, through F5, it doesn’t work. We know internal servers can reach F5 SMTP internal floating ip (192.168.26.1) by ping, but it seems it doesn´t know what to do with traffic originated on SMTP servers, or where to send it. It also happens with any connection started in the server.

 

We have tried to configure a 0.0.0.0/0.0.0.0:any virtual server forwarding IP enabled on internal VLAN but it doesn’t work. Traffic reaches F5 (we show IN traffic statistics), but doesn’t continue to the external VLAN. We have also tried with a default route too (0.0.0.0/0 -> 192.168.227.1), but it doesn´t work.

 

Could you help us?

 

Thank you very much!

 

  • It sounds as though you have done all the right things - why don't you try replacing the "forwarding IP" virtual with a Standard network virtual (to enable easier troubleshooting - you can replace with a forwarding/fastl4 later).

     

    Execute tcpdump -i0.0:nnn -s0 -XXX host a.a.a.a while you run telnet a.a.a.a 25 on one of your internal servers - what do you see?

     

    What is a.a.a.a - is it in 192.168.227.0/24? What is output of tmsh /net show arp for IP a.a.a.a?

     

  • Thank for your fast response.

     

    In the tcpdump command that you give me, the only thing I have to change is the a.a.a.a, isn’t it? I don’t exactly know what you mean with a.a.a.a. I suppose is the destination of outbound traffic, but in our case, the destination is the final user. However, he isn’t in the 192.168.227.0/24 network, he is in another network, so there is no output of “show arp a.a.a.a”, it only appears IP addresses directly connected.

     

    Thank you. Regards.

     

  • OK thanks it wasn't clear to me whether a.a.a.a was in attached network or another.

     

    So do you have a default route configured? You need a route on the LTM to get to the external network via an address on 192.168.227.0/24. I know you said above that you tried via 192.168.227.1, but I wasn't sure if that was your own self IP or an external gateway.

     

  • We have tried to configure a 0.0.0.0/0.0.0.0:any virtual server forwarding IP enabled on internal VLAN but it doesn’t work.

     

    did you set snat automap under wildcard (0.0.0.0:any/0) virtual server configuration?

     

    We have also tried with a default route too (0.0.0.0/0 -> 192.168.227.1), but it doesn´t work.

     

    default route is needed since you are using forwarding ip virtual server.

     

  • So, the configuration is correct, isn’t it? We have to configure a wildcard IP forwarding virtual server in the internal VLAN to allow outbound traffic with automap enable, and we also need to configure a default route (0.0.0.0/0.0.0.0, use gateway, resource: gateway address: 192.168.227.1)

     

    We tried with all this things, but I think not at the same time. Next time we’ll try all together.

     

    By the way, 192.168.227.1 is the IP of the external VLAN (192.168.227.0/24) and it is a router,

     

    Un saludo.

     

  • We have to configure a wildcard IP forwarding virtual server in the internal VLAN to allow outbound traffic Yes

     

    with automap enable Maybe - it depends on your network topology whether you need a source NAT to force the return traffic to your F5

     

    we also need to configure a default route (0.0.0.0/0.0.0.0, use gateway, resource: gateway address: 192.168.227.1) Yes

     

  • Hello,

     

    We finally solved the problem. We configured all of this, but we also need to configure a fastL4 Outbound traffic profile, activating loose initiation and loose close. With this configuration, it worked perfectly.

     

    Regards.

     

    • Carlos_Alperin's avatar
      Carlos_Alperin
      Icon for Nimbostratus rankNimbostratus
      Can you resume how did you make it work? We 're facing the same issue. INBOUND works perfect, but OUTBOUND with SNAT or without SNAT with Network Forwarding stops all the traffic OUTBOUND.
    • Comunicaciones2's avatar
      Comunicaciones2
      Icon for Nimbostratus rankNimbostratus
      Sure! All you need is to create a virtual server without SNAT (Automap). The virtual IP (selfIP) of the has internnal VLAN has to be the default gateway of the server you want to balance. You have to create a default route pointing to the default gateway of the balancing VLAN (external VLAN). Thereby, the outbounf traffic will know how to get the destination network in outbound traffic. Furthermore, you have to create an outbound virtual server, type Forwarding IP, with 0.0.0.0 destination, and without automap. In this virtual server, you have to configure a fastL4 Protocol Profile. You have to modify the fastL4 profile, and activate Loose Initiation and Loose Close. And that's all.
  • So, let 's say my two servers are x.x.x.82 and x.x.x.83, and my SelfIP on the internal VLAN is .16, All I need to do is create a VIP on the internal VLAN with x.x.x.16 as IP on port 25 and type Forwarding IP, and choose FastL4, or I should use the destination 0.0.0.0/0.0.0.0?

     

  • The internal VLAN SelfIP has to be the same as the default gateway you have configured in your servers. This is necessary to ensure the outbound traffic pass through the F5. Appart from that, you have to create the Forwarding IP virtual server in the internal VLAN to accept the outbound traffic, but you have to use the destination 0.0.0.0/0.0.0.0 to accept any kind of outbound traffic. Don't forget to use the FastL4 profile.