Forum Discussion
SSL-VPN - Route all traffic NOT via the default gateway but via the CUSTOM gateway
Hi,
We are working to implement a new VPN stream that ends on F5.
Our goal is to terminate the SSL VPN on F5 but filter the traffic on the firewall, we don't want to do ACLs on F5.
We need to set up a full tunnel.
Our infrastructure is illustrated in a simplified way in the attached diagram
However, we have problems with the routing of traffic as we do not want to allow clients to reach the network resources (Virtual Machine and Virtual Server) located in the networks directly connected on F5.
To avoid this behavior we create a new DMZ 192.168.2.0/24 network to use a SNAT of this network (192.168.2.10) to route traffic to the firewall.
The problems arose here as the traffic to the Internet takes the default network and then arrives on the firewall on the IP 192.168.1.1, while the traffic to the LAN 1 and LAN 2 uses the F5 selfIPs on those networks
We would like to make sure that all traffic from the VPN arrives on the firewall on IP 192.168.2.1 of the new DMZ network.
We tried the following:
1) rotate the traffic to a specific gateway (https://support.f5.com/csp/article/K18487629) but it didn't work and the traffic to the LANs doesn't go through the firewall.
We have created a new dedicated VS.
2) implemented a PBR via irule (https://support.f5.com/csp/article/K20510467) but it didn't work.
We may have done something wrong in the configuration of the two points indicated above and we have tried the various combinations but we are unable to find any solution.
Can you help us understand how to set up the correct flow?
Is it possible to foresee that F5 does not follow the default routing and does not allow direct access to connected LANs?
I hope the flow described is clear
Thanks
Hi tub91
I would suggest that because you need a different default route for the VPN traffic, you might want to consider moving the DMZ2 subnet into its own VLAN (if not already) and then attach that VLAN to its own route domain, along with the lease pool.
In my lab I added a route domain called VPN, with ID 10. I added the VLAN for VPN clients to it, and added my self IPs with route domain notation in the form of 10.1.20.5%10.
Next, I set a default route for the route domain with the following parameters:
Destination: 0.0.0.0%10
Netmask: 0.0.0.0
Gateway Address: 10.1.20.1%10
In the Access Policy's VPE, on the same branch where I assign the network access resource, I added a Route Domain Selection Agent, and set the Route Domain created earlier.Last, if you don't want to use SNAT, set a route on your firewall for the lease pool pointing to the F5's self-IP in the DMZ2 subnet.
Note, there are some limitations that apply to APM and route domains: https://support.f5.com/csp/article/K20465715
Hope this helps,
Josh
Hi tub91
I would suggest that because you need a different default route for the VPN traffic, you might want to consider moving the DMZ2 subnet into its own VLAN (if not already) and then attach that VLAN to its own route domain, along with the lease pool.
In my lab I added a route domain called VPN, with ID 10. I added the VLAN for VPN clients to it, and added my self IPs with route domain notation in the form of 10.1.20.5%10.
Next, I set a default route for the route domain with the following parameters:
Destination: 0.0.0.0%10
Netmask: 0.0.0.0
Gateway Address: 10.1.20.1%10
In the Access Policy's VPE, on the same branch where I assign the network access resource, I added a Route Domain Selection Agent, and set the Route Domain created earlier.Last, if you don't want to use SNAT, set a route on your firewall for the lease pool pointing to the F5's self-IP in the DMZ2 subnet.
Note, there are some limitations that apply to APM and route domains: https://support.f5.com/csp/article/K20465715
Hope this helps,
JoshHi tub91
In my experience with route domains is that they should not cause any problems with preexisting flows. The only hurdles I usually see are related to moving services from RD0 into a new RD, where you basically have to set those things up again. Likewise trying to take route domains out later can be intensive, so its important to understand why you might need them. This is part of why I mentioned that DMZ2 should be a dedicated VLAN as you can't connect a VLAN to more than one route domain.
I made a quick tweak to your drawing to help describe the change.No, RD0 is the partition default for Common so you do not need to specify %0 on any created objects, the only reason you might need to would be if you were referencing objects from RD0 in places such as iRules or other partitions.
- tub91Cirrus
Thank you for the updated drawing, you were very clear.
One last question: we don't have to create a new partition, do we? Can we use the two route domains inside the Common partition?
Thanks
Hi tub91
You are correct, a partition may have more than one route domain. The resources tied to the non-default route domain will always need to use the "%ID" suffix.
- tub91Cirrus
We have tested this with the route domain and confirm that it works as expected.
Thank you for your support
- tub91Cirrus
I confirm that the DMZ2 subnet is in a dedicated VLAN. We had hypothesized that Route Domains could solve the problem but we wanted to find out if another way was possible.
We have never created another Route Domain. Could the addition of a route domain lead to some problems in the configuration of all the flows already present?
I see that the% ID_VLAN character must be added for the IP of the new route domain.
Is the addition of the% ID_VLAN character to be done also for all the IPs in the default and already existing route domain 0?
Thank you very much
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com