Forum Discussion
EAX_25745
Nimbostratus
NimbostratusWildcard Virtual Servers
Hi,
I am struggling to get wilcard virtual servers to work properly in v11.3.0 with HF1.
VLANs:
1) External (Internet) - GW Router x.1.240.128/29
2) Proxies - Connects to Cache farm - x.1.222.48/28
3) HA
4) Internal - not used currently
I created a wildcard virtual server for the proxies vlan as follows:
ltm virtual Proxies_All_Out {
description "Proxies Outside Access"
destination 0.0.0.0:any
ip-forward
mask any
profiles {
fastL4 { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
Proxies
}
vlans-enabled
}
Another wildcard virtual server was created for the external vlan to accept incoming proxy request as follows:
ltm virtual Proxies_FWR_VIP_80 {
description "Proxies External Virtual Server"
destination 0.0.0.0:http
ip-protocol tcp
mask any
pool Proxies_Pool
profiles {
analytics { }
http { }
tcp { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
external
}
vlans-enabled
}
But for the life of me, the proxies can't access the internet when their gateway is the floating IP on F5 for the proxies VLAN.
When i change the Proxies_All_Out virtual server to a specific destination like an internal nameserver, i can ping that nameserver.
But when using source 0.0.0.0/0 and destination and mask any it is not working.
So something tells me that F5 don't detect that the traffic should go to the Proxies_All_Out virtual server properly.
What i basically want to achieve is to create a wildcard virtual server for the proxies that will allow them to access the internet via VLAN external.
And for incoming traffic a wildcard virtual server that will catch all traffic on port 80 on the external VLAN and send them to the proxies pool.
Any help or suggestions will be appreciated.
nitassEmployee
But for the life of me, the proxies can't access the internet when their gateway is the floating IP on F5 for the proxies VLAN.
When i change the Proxies_All_Out virtual server to a specific destination like an internal nameserver, i can ping that nameserver.
But when using source 0.0.0.0/0 and destination and mask any it is not working.do proxy servers need snat to go to Internet? have you tried to enable snat automap under Proxies_All_Out virtual server?
EAX_25745Yes i did try SNAT Automap but it didn't work either.
I don't want to SNAT the proxy servers, but like i said. I did try but it did not make any difference.- nitassyou have defined default route in bigip, haven't you?
- EAX_25745Yes default GW is the router which is the same IP range as the external VLAN
- nitasscan you run tcpdump on bigip to see what happens?
to screen
tcpdump -nni 0.0 host x.x.x.x
to file
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x
x.x.x.x is proxy server ip 
What_Lies_Bene1Cirrostratus
Does the router have a route back to the F5 for the proxy VLAN/subnet?
Also, please confirm if the default route is definitely a LTM default route - you should be able to see it in the GUI.- EAX_25745I made two changes now.
1) On the virtual-address 0.0.0.0 i enabled ICMP-Echo.
This now allows me to ping across the wildcard virtual server for the proxies to access the internet etc.
2) I then set SNAT to Automap and now everything works.
So basically for me to disable SNAT Automap i will need to create a route on the routers that route all proxies traffic to the F5?- Jason_AdamsI know this is a little old, but I just want to make very clear that, when you enable ICMP-Echo on a 0.0.0.0 Virtual-Address, you are not actually performing a ping Through the BIG-IP. The virtual-address is responding directly. And because 0.0.0.0 will encompass ALL IP Addresses, this means that the BIG-IP will ICMP Respond to ALL IP Addresses This is generally an undesired behavior, and can cause a large amount of confusion.
- What_Lies_Bene1For any external routers, yes, that's exactly it.
- What_Lies_Bene1For any external routers, yes, that's exactly it.
- EAX_25745Ok i will do the routing changes and test.
Another thing... if i have an active / active pair, is it possible to have a virtual address 0.0.0.0 in traffic-group 1 and the same virtual address 0.0.0.0 in traffic-group 2?
What would happen with failover? Can both traffic-group 1 and 2's virtual address 0.0.0.0 run on the same box?
