Forum Discussion
santa_111036
Nimbostratus
NimbostratusSMTP Load Balancing without SNAT
Hi all,
I am new in this forum and I have a problem with load balancing
our SMTP Gateways (Ironport).
It is necessary that the ironport "sees" the origin sender IPs.
So I created a virtual server on F5 with ironport gateways as members and disabled SNAT.
Now I can send an email which is delivered to the ironport correctly. But the ironport ist not able to send the email
to the destination mail server. Even a ping to the mail server is not possible.
On ironport the virtual server ip of the f5 in the same vlan is set as default gateway.
Any hints?
Thanks in advance!
HamishCirrocumulus
Do you have a network virtual server for 0.0.0.0/0.0.0.0 that will forward the outbound connections for you?
H
santa_111036i don't really understand... sorry, i am a f5-newbie.
I have created a host virtual server which has the virtual ip of the ironports.
for this virtual server i have set SNAT-Pool to "none"- dennypayne
Employee
What Hamish is referring to is the fact that the LTM by default will deny any traffic that is not explicitly allowed. So if the Ironport servers are trying to initiate outbound connections through LTM as their gateway, there has to be some mechanism to let those packets go outbound through the LTM. The easiest thing to do is to set up the wildcard forwarding virtual server as he described, since normally you don't know what IP address the servers are trying to reach.
So you would create a new virtual server as type Network, with 0.0.0.0/0.0.0.0, port 0, and change it from Standard to Forwarding(IP). You can also enable it only on the internal VLAN so that traffic is only allowed outbound, not inbound. You will also need to make sure that LTM's gateway knows how to route traffic back to the Ironport source IP's through the external LTM address.
Alternatively, you could create a SNAT enabled on the internal VLAN that changes the outgoing source IP to an address on the LTM, then you don't have to worry about the routing back inbound. This may even be required in this instance if the mail servers that the Ironports are connecting to would possibly reject mail that does not appear to be coming from the "correct" IP address according to their reverse DNS lookups.
Hope this helps,
Denny 
George_Cussins_My question is similar to this scenario but in our case we do not need to know the origin ip address so we will be doing SNAT automap. The SMTP servers would be operating as a SMTP relay on a dmz. Internal servers will send their smtp request to an F5 virtual ip address which will then loadbalance between pool members.
For the outbound request to the destination email server flow as described above it was our intention to have the SMTP servers simply point as their default gateway the Firewall address and have the firewall NAT to a single public address. This I think will avoid the reverse lookup issue described above. My question is what is "best practice" here? Is there any value added by sending the outbound flow through the F5? Any other issue we need to be aware of in setting up these SMTP relay servers?- JRahm
Admin
In your case with the outbound flow, I don't see any value in pushing them back through another LTM before the firewall translates them. The initial LTM has the opportunity to catch/mod anything necessary anyway before hitting your dmz relays.
