Source routing

Are A and B on separate networks? If so, you can just create 2 wildcard fowarding virtuals, one enabled on each VLAN, and use a different firewall pool for each one.

 

 

If not, then you can use an iRule on a forwarding virtual that looks at the source addr and decides which firewall to use based on that logic. That's a little harder to scale though since you have to add logic for each potential source address.

 

 

Denny

Thanks Denny, this is a very timely post for me.

Extending this scenario a little, I also have virtual servers defined on VLAN X and Y, which use pools of servers in VLAN A and VLAN B respectively. Client requests come in from beyond VLAN X or Y.

Where will the reply traffic be forwarded to? I imagine the forwarding virtuals you mention would only be relevent for sessions initiated on the server side (VLAN A/B), not for return traffic for sessions initiated beyond VLAN X & Y.

To extend your diagram per below, suppose 10.11.11.100 sends traffic to virtual 10.10.10.10. How will the BigIP know to send return traffic back to 10.10.10.254? I'm sure we could set up the route tables such that 10.11.11.x is via 10.10.10.254 and 192.168.3.x is via 192.168.2.254, but what if we don't have a full knowledge of the remote network addressing?

Also, if we are trying to segregate different customers, they may have addresses which overlap each other.

----------------               ------------------
- 10.11.11.x   -               - 192.168.3.x    -
----------------               ------------------
       |                                |
    ROUTER                           ROUTER
       |                                |
----------------               ------------------
- 10.10.10.254 -               - 192.168.2.254  -
----------------               ------------------
       |                                |
    VLAN X                            VLAN Y
       |                                |
       |                                |
---------------------------------------------------
-    10.10.10.x                    192.168.2.x    -
-                    F5 LTM                       -
-    172.18.10.x                   172.18.12.x    -
-                                                 -
---------------------------------------------------
       |                                |
      VLAN A                          VLAN B
       |                                |
      server                          server

Thanks,

Stephen

The LTM has a feature enabled called auto lasthop that will send the traffic back to the mac it came from, so as long as this is still enabled, you should be fine.

Denny - I was wondering if you had an example of the irule solution for this similar scenario? I tried using a wildcard forwarding virtual server with this irule and not sure if this would work the same way? Thx!

 

 

virtual VIPANY {

 

ip forward

 

destination any:any

 

mask none

 

vlans

 

RIP-DEV-DMZ

 

RIP-DEV-INT

 

RIP-PROD-DMZ

 

RIP-PROD-INT

 

RIP-QA-DMZ

 

RIP-QA-INT

 

RIP-UAT-DMZ

 

RIP-UAT-INT

 

enable rules Gateways

 

}

 

 

rule Gateways {

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::remote_addr] equals "10.0.24.0/23"] ne 0} {node 10.0.22.1}

 

elseif { [IP::addr [IP::remote_addr] equals "10.0.34.0/23"] ne 0} {node 10.0.32.1}

 

elseif { [IP::addr [IP::remote_addr] equals "10.0.44.0/23"] ne 0} {node 10.0.42.1}

 

elseif { [IP::addr [IP::remote_addr] equals "10.0.54.0/23"] ne 0} {node 10.0.52.1}

 

elseif { [IP::addr [IP::remote_addr] equals "172.24.24.0/23"] ne 0} {node 172.24.22.1}

 

elseif { [IP::addr [IP::remote_addr] equals "172.24.34.0/23"] ne 0} {node 172.24.32.1}

 

elseif { [IP::addr [IP::remote_addr] equals "172.24.44.0/23"] ne 0} {node 172.24.42.1}

 

elseif { [IP::addr [IP::remote_addr] equals "172.24.54.0/23"] ne 0} {node 172.24.52.1}

 

else { discard }

 

}

 

I don't have another example but yours looks like it should work fine (I haven't vetted the syntax - not sure about the "ne 0" - but the logic looks good to me). But you see what I mean about it being harder to scale. You might want to use the switch command instead of all the elseif's (there's a bunch of examples of that in various posts in the 9.x iRules forum).

 

 

Denny

Sounds good Denny, Looks like that worked...Thx again! Also I tried to look up an irule example in the forum that uses the switch command but no luck...Do you mind pointing me in the right direction? Never used this command before...Thx!

Take a look at these threads -

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=35063507 (Click here)

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=60226023(Click here)

 

 

or at the TCL docs at:

 

 

http://tmml.sourceforge.net/doc/tcl/switch.html(Click here)

 

 

Denny

Hi Denny (or whomever else can answer),

 

 

I have what looks like a simpler setup than what you've shown in your nice ASCII image. The VLANs X and Y would stay, but behind the F5s I just have a single VLAN, A. Basically imagine VLAN Y is our old firewall/DMZ gear and VLAN X is the new, improved gear we're trying to migrate towards (along with new IP addresses).

 

 

So, on VLAN Y (old) I'll have virtual servers that access the pools on VLAN A. Now I need to create a new virtual server on VLAN X (new gear) and have it provide access to the same pool on VLAN A, but ensure that connections that come in from X go back out X, and connections that come in on Y go back out Y. Is this simply a matter of just having self-IPs on each of the external VLANS, and the F5 will default to sending connections back out the gateway a connection came in on? Currently the F5 only has a single default route, which points towards to old gear we're trying to get off of (VLAN Y). My concern is that when a connection comes in via VLAN X, the F5 will look at its routing table and want to send replies out via VLAN Y instead of VLAN X. Since I don't have VLANs A and B on the back side, I can't create two separate wildcard forwarding servers and associate them with different internal VLANs.

 

 

If you're with me this far there's one additional consideration. There are stand-alone servers on VLAN Y necessary to the sites' functioning that will eventually migrate as well. For now, they'll remain on VLAN Y. If I bring a virtual server up on VLAN X, and the hosts in a pool get new SNATs on X to replace their old VLAN Y SNATs, the F5 won't do something goofy with routing and say, "Well, this host with SNAT 10.10.10.5 wants to talk to 192.168.2.200... I have a self-IP on the 192.168.2.0 network, so I'll just route internally and send the packet out that interface rather than using the default gateway for the 10.10.10.0 network", will it? (resulting in a SYN packet with a 10.10.10.5 source IP getting dumped directly onto VLAN Y, and the resulting SYN/ACK from the server gets to VLAN Y's firewall but doesn't match a state, because there was never a SYN from 10.10.10.5 seen at the firewall).

If you create a default gateway pool, then auto lasthop should take care of your first concern. I think as long as you only enable the SNAT and the VLAN X virtual server on VLAN X (instead of the default of All VLANS) then the traffic from the SNAT to VLAN Y will go out the appropriate default gateway. But without being able to test your setup I'm not 100% sure that what you describe won't happen, because without the forwarding virtual server you can't explicitly point outgoing traffic to the firewall interface.

 

 

Denny

Hi Denny,

 

I've got a eventually silly question. I've to configure this from an existing installation (say VLAN-X and VLAN-A). There's also a default gateway on the f5 pointing to 10.10.10.254.

 

Can I get rid of it, if I configure your suggested inbound-fwd-VS to the nets (here 172.18.10.0/24 and 172.18.12.0/24). The reason why i ask is - monitoring the traffic with tcpdump on VLAN-X while disabling the "default gateway" shows the absence of packets to/from VLAN-A. Which routing matches first? Default or "VS"-based. Or can

 

 

Thx

 

 

Sven