Forum Discussion
Warren_A__97345
Nimbostratus
NimbostratusTraffic Routing with out a Snat ?
Greetings everyone.
I am setting up a pair of HA F5s for my datacenter and I have a problem with IP preservation and I was hoping someone could shed some light on this topic for me.
My Network Layout Approximately. All IPs are public so I can easily route from elsewhere.
Vip network :
Public IPs
77.77.77.1 Routerhsrp
77.77.77.2 router1
77.77.77.3 router2
77.77.77.4 F5-BigIP-LB1
77.77.77.5 F5-BigIP-LB2
77.77.77.6 F5-BigIP-FloatingIP
77.77.77.7 mywww.vip.company.com (on LBs)
ServerNetwork (also public IPs)
88.88.88.1 Routerhsrp
88.88.88.2 Router1
88.88.88.3 Router2
88.88.88.4 F5-BigIP-LB1
88.88.88.5 F5-BigIP-LB2
88.88.88.6 F5-BigIP-LB-FloatingIP
88.88.88.7 www1
88.88.88.8 www2
88.88.88.9 www3
I was assuming since I am running all Public IP numbers I could rely on the F5 forwarding the to the proper server while only changing the from source layer2 information so the traffic would return back through the load balancer with out stripping the true source IP from the L3 data, Since I have the F5s on the 88.x.x.x network with the right vlan, unfortunately I can not seem to get any traffic to flow that way.
The moment I turn on automap snat or set up a snatpool in the 88.x.x.x network traffic flows fine, but everything is natted from the IP of the load balancer. I would like to preserve my source IP, but I would also like to not run n-Path/DSR style routing where I place a Loopback on the webservers with the VIP IP on them.
Any suggestion?
I am running 9.2.5, the vlan for the vips and the vlan for the server network is seperate and running untagged into access ports on my switches via individual interfaces on the LB (1.1vip and 1.2servers)
11 Replies
hoolioCirrostratus
If you don't want to use SNAT or nPath, you'll need to set the default gateway on the servers to the floating self IP address of LTM on the server VLAN. This will ensure responses to clients not on the same subnet as the servers is sent back to the client via LTM. You would have to enable SNAT for clients on the same subnet as the servers.
Also, if you're able to, you should upgrade from 9.2.5 as it's an old, unsupported version (not that the version has any impact on the routing question...).
Aaron- The_BhattmanAlso if you using the floating self ip address you might want to think about implementing MAC masquerading.
Bhattman - Ben_Novak
Employee
I agree with hoolio. You need to change the default gateway of the nodes to the floating IP on the F5 and turn off SNAT. That will allow you nodes to see the client IP. However, once you do that you may not be able to manage the nodes. You will have to setup a virtual forwarder to forward all other traffic sourced from those nodes or else the F5 will not pass it. Let me know if you need more info on the virtual forwarder. You will probably need it if the node VLAN is not isolated behind the F5. 
Warren_A__97345A Virtual forwarder eh? I think that is the issue I am having. I was able to implement it with the gateway earlier, but then I was unable to manage my hosts directly. I know I could add a box in the domain as a management box, but I would prefer to not do this. I believe the virtual forwarder is the piece of the puzzle I did not discover. Could you please enlighten me to this?
Unfortunately I do not have an upgrade path from 9.2.5 to a newer version as my devices are only licensed with that version and due to a tight budget we are not able to place the appliances under support right now. (We are a start up with a huge product launch, so everything is not proven and must stay cheap until we get some big traffic).
Every time I place a VIP on the front end (77.X) network,
Say I add 77.77.77.8:80 for a different site or service, must I first make that a shared floating IP on the device? Or is the self IP and shared floating IP only needed once, any additional IPs for VIPs can be added as needed with out defining a self IP?
Thanks a lot guys, the advice is great,
- Warren- hoolioHi Warren,
Try checking SOL7229 for details on configuring a forwarding virtual server for admin access. You could enable SNAT on that and restrict who can connect to the forwarding VIP by VLAN or by IP/subnet using iRules or packet filters.
SOL7229: Methods of gaining administrative access to nodes through the BIG-IP system
https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7229.html
Also, in terms of support, you might still be able to install 9.3.1 if your service check date is after the 9.3.1 release date even without an active support contract. You could open a case with F5 Support to see if upgrading to 9.3.1 is an option.
As for the self IP question, you should only need one floating self IP per VLAN (unless you have a lot of SNAT traffic and are seeing/concerned about port exhaustion--which shouldn't be a problem in your scenario if you're not using SNAT for most connections).
Aaron - Warren_A__97345Thanks Aaron,
I will investigate this, document and possible upgrade in platform version. Is there a simple place to find where the service check date is? Or will only F5 know that?
Cheers,
Warren - hoolioThe service check date is normally found in the /config/bigip.license file. It's described in SOL7727:
SOL7727: A service check date that is earlier than the license check date now requires you to relicense the system before upgrading
https://support.f5.com/kb/en-us/solutions/public/7000/700/sol7727.html
If you open a case with F5, you should be able to get a quick response on whether you can upgrade to 9.3.x with your existing license. It's worth it to at least check into.
Aaron - Warren_A__97345with the virtual forwarding servers:
Do I remove the route to that network via my core routers? And insert a static route to servers in that network via the external VIP of the LB? Or does inbound for the servers whom's gateways point to the load balancer still come from the network's central router?
Currently if I do a route to a server in the pool that I wish to set this up for, the traffic attemps to go through the HSRP router not the F5. - The_BhattmanYou still need a route in your network to reach the network that sites behind the load balancer. Virtual forwarding servers basically allow you to forward between networks that terminate on the F5.
Bhattman - Warren_A__97345So on my server network (internal, although all public ips)
I have:
vLan - Internal-v100
1.1.1.1 core-router-vip
1.1.1.2 core-router-1
1.1.1.3 core-router-2
1.1.1.4 lb-1
1.1.1.5 lb-2
1.1.1.6 lb-float-ip
1.1.1.7 www1
1.1.1.8 www2
vLan - External-v200
2.2.2.1 core-router-vip
2.2.2.2 core-router-1
2.2.2.3 core-router-2
2.2.2.4 lb-1
2.2.2.5 lb-2
2.2.2.6 lb-float-ip
2.2.2.7 www-vip:80
www1's defautl route/gateway = 1.1.1.6
www2's defautl route/gateway = 1.1.1.6
Traffic from the outside vip that goes to www1 and www2 works perfect, I can see the ip, traffic flows through the LB as it should.
I have (for www1 only so I can ssh to it)
virtual fw-virt-server {
destination 1.1.1.6:any
ip forward
translate address disable
vlans external enable
}
Traffic from the outside sees the route for www1/www2 as
Edge Router -> core router -> Vlan Interface 1.1.1.1 -> Destination
^Is that correct or should I remove that vlan interface and replace it with something else?
The problem is ssh to my host of www1 still is not working. I am dumbfounded... I am about ready to throw in the towel and just do a snat... Anyone see something glaringly obvious?
