Using Big-IP as a router

Hi,

 

 

The BIG-IP can route traffic without performing source address translation. Under the most common configurations, the BIG-IP would route symmetrically (ie the request and the response both go through the BIG-IP). To route symmetrically, if you don't have the BIG-IP perform address translation, the destination of the traffic needs to have a route to the source which goes through the BIG-IP. Typically you do this by setting the web server's default gateway to the floating IP on the server's VLAN.

 

 

If you don't want to translate the source address, you can create a wildcard virtual server with SNAT disabled. If you want to specify a router or pool of routers, you can use a Forwarding IP VIP. If you want to just forward the requests according to the BIG-IP's routing table, you can use a Performance Layer 4 VIP.

 

 

If you want to have the BIG-IP just forward asymmetrically, you can enable loose initiation and loose close on the FastL4 profile for your VIP. BIG-IP won't add the connections to its connection table.

 

 

Take a look at the config guide for your version of LTM on AskF5 for more detail or reply here.

 

 

Aaron

I have a couple loadbalanced windows servers configured with their defaultroute set to the BigIP's floating IP - works great except for when they attempt the mothership and it fails because the BigIP is not forwarding or returning the outbound packets and windows can't get its updates.

 

We've added a few persistent routes so these nodes can route Microsoft traffic around the BigIP - but MS changes their IP nets all the time so this fails after a while.

 

What is the best way (least disruptive) to allow the BigIPs to route this type of traffic?

 

 

thanks,

 

Fletch.

You could add a network virtual forwarder with address 0.0.0.0/0.0.0.0 specified to the tcp port that the servers phone home on, and enable it only on the vlan to which the servers are connected.

I tried your idea - this should have allowed 443 to pass - but its not...:

 

virtual fwd65NetHTTPS {

 

destination any:https

 

ip forward

 

ip protocol tcp

 

translate service disable

 

profile fastL4

 

vlans int65 enable

 

}

 

 

see anything wrong there?

 

thanks

 

 

Do you have a route to the destination you're trying to hit?

Ah, I see the first default route for the whole BigIP is a non-externally routable IP - how do I update the order of the default routes ? (So I can make the externally routable hop first)?

 

Or how do I assign a default route just for this VLAN?

 

 

thanks

 

In this case, you could add an iRule to the virtual to route the traffic based on source address. Assuming the servers are in 192.168.1.0/24 and the desired gateway is 172.16.1.1:

when CLIENT_ACCEPTED {
  if {[IP::addr [IP::client_addr] equals 192.168.1.0/24]} {
    node 172.16.1.1
  }
}

I tried the iRule, but it did not seem to affect the routing when I applied it to the Virtual Server to which this server belongs.

 

(wouldn't that be expected since the iRule would only apply to traffic inbound to the Virtual Server?)

 

 

thanks

Process should be:

 

 

Server1 (192.168.1.10) -> update.microsoft.com (65.55.184.57/443)

 

 

packet arrives at wildcard VIP, which is listening only on server vlan to only tcp port 443.

 

 

BigIP checks source address, sends traffic destined for 65.55.184.57 to node 172.16.1.1 as defined in the iRule. If return path is not symmetric, you may want to add a specific snat address to these source routing decisions.

Is this still valid for 11.x and whats the today preferred settings if I (for example) just want to use the F5 as a router (or rather the case is to merge a Cisco-router and F5 into a single device)?

 

 

Im thinking of Forwarding IP vs Performance Layer 4 as VIP but also regarding the loose initiation and loose close (and are there other settings to look for)?

 

 

The goal in my case is to have the F5 perform both routing (mainly static routes) but for a certain range (or rather ipaddresses along with ports) it will perform its loadbalancing magic.

 

 

I also asume that the need to create a VSERVER who acts on 0.0.0.0/0.0.0.0 is because the F5 otherwise will just drop the traffic (meaning that just setting up routes in Network->Routes isnt enough) - is this correct?