Forum Discussion
SSL-VPN - Route all traffic NOT via the default gateway but via the CUSTOM gateway
- Sep 16, 2022
Hi tub91
I would suggest that because you need a different default route for the VPN traffic, you might want to consider moving the DMZ2 subnet into its own VLAN (if not already) and then attach that VLAN to its own route domain, along with the lease pool.
In my lab I added a route domain called VPN, with ID 10. I added the VLAN for VPN clients to it, and added my self IPs with route domain notation in the form of 10.1.20.5%10.
Next, I set a default route for the route domain with the following parameters:
Destination: 0.0.0.0%10
Netmask: 0.0.0.0
Gateway Address: 10.1.20.1%10
In the Access Policy's VPE, on the same branch where I assign the network access resource, I added a Route Domain Selection Agent, and set the Route Domain created earlier.Last, if you don't want to use SNAT, set a route on your firewall for the lease pool pointing to the F5's self-IP in the DMZ2 subnet.
Note, there are some limitations that apply to APM and route domains: https://support.f5.com/csp/article/K20465715
Hope this helps,
Josh
Hi tub91
In my experience with route domains is that they should not cause any problems with preexisting flows. The only hurdles I usually see are related to moving services from RD0 into a new RD, where you basically have to set those things up again. Likewise trying to take route domains out later can be intensive, so its important to understand why you might need them. This is part of why I mentioned that DMZ2 should be a dedicated VLAN as you can't connect a VLAN to more than one route domain.
I made a quick tweak to your drawing to help describe the change.
No, RD0 is the partition default for Common so you do not need to specify %0 on any created objects, the only reason you might need to would be if you were referencing objects from RD0 in places such as iRules or other partitions.
- tub91Sep 16, 2022Cirrus
Thank you for the updated drawing, you were very clear.
One last question: we don't have to create a new partition, do we? Can we use the two route domains inside the Common partition?
Thanks
- Sep 16, 2022
Hi tub91
You are correct, a partition may have more than one route domain. The resources tied to the non-default route domain will always need to use the "%ID" suffix.
- tub91Sep 16, 2022Cirrus
Perfect. Next week let's try this route and then I'll come back with the feedback.
Have a nice weekend
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com