For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ltp_55848's avatar
ltp_55848
Icon for Nimbostratus rankNimbostratus
Jun 29, 2011

Wildcard forwarding for direct node traffic with PBR

Hi All,     Apologies if this question has been asked before; I've waded my way through a lot of forum posts but haven't seen the problem I'm facing - feel free to prove otherwise.     I a...
config
design
ltp_55848's avatar
ltp_55848
Icon for Nimbostratus rankNimbostratus
Jul 05, 2011
After some though on the matter; I ended up creating an iRule on the wildcard virtual server on the backend VLAN to output some verbose logging for the purposes of gathering information form an LTM perspective.

 

 

What I found was that the return traffic from a client directly to a backend node (not via a VIP) was being PBR'ed as expected to the F5 self-IP on the backend node's VLAN. However, because the F5 was unaware of the initial traffic flow (it came via the network and not from the F5), the return traffic flow was seen as a client connection to the F5's, with the server being the original requesting client.

 

 

The solution was to use an exceedingly simple iRule on the wildcard virtual server for the backend VLAN to set the client nexthop to an F5 self-IP on a "external" VLAN.