For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Raj_Siva_327012's avatar
Raj_Siva_327012
Icon for Nimbostratus rankNimbostratus
Jul 12, 2017

SNAT - same VLAN ?

Do we need SNATs if the server is in the same VLAN as the self / floating IPs ? the default gateway of the server is not the F5 in this case...   for ex   external VIP - 172.18.2.153   pool ...
application delivery
LTM
security
Munney_64889's avatar
Munney_64889
Icon for Nimbostratus rankNimbostratus
Jul 12, 2017

If you don't SNAT, the source address of the requesting client will get passed straight on through to the server. And then the server will see the client as a non-local IP address and use it's default gateway to respond to, bypassing the load balancer.

 

Asynchronous route. Game over.

 

Munney_64889's avatar
Munney_64889
Icon for Nimbostratus rankNimbostratus
Jul 13, 2017

I always thought the same thing Raj. I think the L2/L3 is getting muddled.

 

How I've talked myself into believing it is that the server gets the frame and strips it off and throws it away. When it goes to respond it creates a packet...addressed to the original source IP. So then it makes its decision - is this thing going local or remote and creates a new frame of who it needs to send it to. In this case, the [now] destination IP is remote so it builds its frame with a destination MAC of its default gw.

 

It doesn't reuse the old frame, that's long gone...so doesn't respond to the F5.