Forum Discussion
SMTP Load Balancing without SNAT Outbound traffic problems
Hello,
I’m sorry because this is an issue that it has been reviewed in the forum, but in our case it doesn’t work and we don`t know what is the problem. We have two STMP VLANs, internal (192.168.26.0/24) and external (192.168.227.0/24).
In the external we have a standard virtual server (192.168.227.11) with a SMTP pool with two servers in the internal VLAN (192.168.26.11 and 192.168.26.12). We have SNAT Automap disable because we want to keep the original source IP, so SMTP servers have its default gateway on F5 (192.168.26.1). This works OK.
The problem is about outbound traffic. For example, when SMTP server tries to send outbound traffic to Internet or Exchange servers, through F5, it doesn’t work. We know internal servers can reach F5 SMTP internal floating ip (192.168.26.1) by ping, but it seems it doesn´t know what to do with traffic originated on SMTP servers, or where to send it. It also happens with any connection started in the server.
We have tried to configure a 0.0.0.0/0.0.0.0:any virtual server forwarding IP enabled on internal VLAN but it doesn’t work. Traffic reaches F5 (we show IN traffic statistics), but doesn’t continue to the external VLAN. We have also tried with a default route too (0.0.0.0/0 -> 192.168.227.1), but it doesn´t work.
Could you help us?
Thank you very much!
- IheartF5_45022Nacreous
It sounds as though you have done all the right things - why don't you try replacing the "forwarding IP" virtual with a Standard network virtual (to enable easier troubleshooting - you can replace with a forwarding/fastl4 later).
Execute tcpdump -i0.0:nnn -s0 -XXX host a.a.a.a while you run telnet a.a.a.a 25 on one of your internal servers - what do you see?
What is a.a.a.a - is it in 192.168.227.0/24? What is output of tmsh /net show arp for IP a.a.a.a?
- Comunicaciones2Nimbostratus
Thank for your fast response.
In the tcpdump command that you give me, the only thing I have to change is the a.a.a.a, isn’t it? I don’t exactly know what you mean with a.a.a.a. I suppose is the destination of outbound traffic, but in our case, the destination is the final user. However, he isn’t in the 192.168.227.0/24 network, he is in another network, so there is no output of “show arp a.a.a.a”, it only appears IP addresses directly connected.
Thank you. Regards.
- IheartF5_45022Nacreous
OK thanks it wasn't clear to me whether a.a.a.a was in attached network or another.
So do you have a default route configured? You need a route on the LTM to get to the external network via an address on 192.168.227.0/24. I know you said above that you tried via 192.168.227.1, but I wasn't sure if that was your own self IP or an external gateway.
- nitassEmployee
We have tried to configure a 0.0.0.0/0.0.0.0:any virtual server forwarding IP enabled on internal VLAN but it doesn’t work.
did you set snat automap under wildcard (0.0.0.0:any/0) virtual server configuration?
We have also tried with a default route too (0.0.0.0/0 -> 192.168.227.1), but it doesn´t work.
default route is needed since you are using forwarding ip virtual server.
- Comunicaciones2Nimbostratus
So, the configuration is correct, isn’t it? We have to configure a wildcard IP forwarding virtual server in the internal VLAN to allow outbound traffic with automap enable, and we also need to configure a default route (0.0.0.0/0.0.0.0, use gateway, resource: gateway address: 192.168.227.1)
We tried with all this things, but I think not at the same time. Next time we’ll try all together.
By the way, 192.168.227.1 is the IP of the external VLAN (192.168.227.0/24) and it is a router,
Un saludo.
- IheartF5_45022Nacreous
We have to configure a wildcard IP forwarding virtual server in the internal VLAN to allow outbound traffic Yes
with automap enable Maybe - it depends on your network topology whether you need a source NAT to force the return traffic to your F5
we also need to configure a default route (0.0.0.0/0.0.0.0, use gateway, resource: gateway address: 192.168.227.1) Yes
- Comunicaciones2Nimbostratus
Hello,
We finally solved the problem. We configured all of this, but we also need to configure a fastL4 Outbound traffic profile, activating loose initiation and loose close. With this configuration, it worked perfectly.
Regards.
- Carlos_AlperinNimbostratusCan you resume how did you make it work? We 're facing the same issue. INBOUND works perfect, but OUTBOUND with SNAT or without SNAT with Network Forwarding stops all the traffic OUTBOUND.
- Comunicaciones2NimbostratusSure! All you need is to create a virtual server without SNAT (Automap). The virtual IP (selfIP) of the has internnal VLAN has to be the default gateway of the server you want to balance. You have to create a default route pointing to the default gateway of the balancing VLAN (external VLAN). Thereby, the outbounf traffic will know how to get the destination network in outbound traffic. Furthermore, you have to create an outbound virtual server, type Forwarding IP, with 0.0.0.0 destination, and without automap. In this virtual server, you have to configure a fastL4 Protocol Profile. You have to modify the fastL4 profile, and activate Loose Initiation and Loose Close. And that's all.
- Carlos_AlperinNimbostratus
So, let 's say my two servers are x.x.x.82 and x.x.x.83, and my SelfIP on the internal VLAN is .16, All I need to do is create a VIP on the internal VLAN with x.x.x.16 as IP on port 25 and type Forwarding IP, and choose FastL4, or I should use the destination 0.0.0.0/0.0.0.0?
- Comunicaciones2Nimbostratus
The internal VLAN SelfIP has to be the same as the default gateway you have configured in your servers. This is necessary to ensure the outbound traffic pass through the F5. Appart from that, you have to create the Forwarding IP virtual server in the internal VLAN to accept the outbound traffic, but you have to use the destination 0.0.0.0/0.0.0.0 to accept any kind of outbound traffic. Don't forget to use the FastL4 profile.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com