LTM: Configuring IP Forwarding

A basic change in internal routing architecture and functionality between BIG-IP 4.x and LTM 9.x has caused some confusion for customers whose v4.x deployment depended on IP forwarding. Here is an explanation of the change, and the new configuration requirements to support forwarding of IP traffic using LTM.

What changed?

Both BIG-IP and LTM are default deny devices, which means a specific configuration is required to support every desired traffic flow. In BIG-IP, packets not matching a virtual server or SNAT/NAT would be dropped, unless the BIG-IP v4.x global IP forwarding checkbox feature was enabled. With IP forwarding enabled, packets not matching a virtual or SNAT/NAT would be forwarded intact per the routing table entries.

LTM also requires that all traffic must match a defined TMM listener (a virtual server, SNAT or NAT) or be dropped. However, LTM's full application proxy architecture separates routing intelligence from load balancing, and the deprecated IP forwarding feature was intentionally not included in LTM to optimize load balancing performance.

The IP forwarding checkbox feature was deprecated early in the BIG-IP 4.x tree. Although F5 has long recommended that IP forwarding be replaced with forwarding virtual servers, forwarding pools, SNATs or NATs, some customers retained their IP forwarding configuration when upgrading to LTM v9.x. Since those various configuration options exist to support traffic previously managed by IP forwarding, the One-Time Conversion Utility (OTCU) that translates v4 configurations to v9 syntax does not presume to configure global forwarding virtual servers in place of global IP forwarding. For those customers and other administrators already familiar with BIG-IP but now using LTM, it isn't obvious how to replicate the forwarding behaviour they require.

Configuring forwarding for LTM

The recommended replacement for global IP forwarding is a forwarding virtual server configured to listen for all IP protocols, all addresses and all ports on all VLANs. This virtual server would catch all traffic not matching another listener and forward in accordance with LTM's routing table entries.

You can configure a wildcard forwarding virtual server that listens for all IP protocols, all addresses and all ports on all VLANs.

1. In the LTM GUI, browse to Virtual Servers & click "Create".

2. Configure the following properties:

Destination:Network
Address=0.0.0.0
Mask=0.0.0.0
Service port:0
Type:Forwarding (IP)
Protocol:*All Protocols
VLAN Traffic:All VLANs



3. Click "Finish" to create the virtual server.

The resulting configuration snip looks like this:

virtual forward_vs {
   ip forward
   destination any:any
   mask none
}

This will forward all IP traffic as long as there is a matching route in the routing table. (Packets bound for destinations for which there is no route will be dropped with no ICMP notification.)

Commonly required modifications

You can limit forwarding to only traffic bound for specific subnets by specifying the appropriate subnet and mask.

If a different router exists on any directly connected network, you may need to create a custom fastL4 profile with "Loose Initiation" & "Loose Close" enabled to prevent LTM from interfering with forwarded conversations traversing an asymmetrical path.

If the forwarding virtual server is intended to allow outbound access for your privately addresses servers, you will need to configure a SNAT to translate the source address of that traffic to a publicly routable address.

If you have multiple gateways, you can load balance requests between the routers. To do so, first create a gateway pool containing the routers as members. Then configure the virtual server as above, but selecting Type "Performance (Layer 4)" instead of "Forwarding (IP)", and applying the gateway pool as its resource.

Related information

SOL7229: Methods of gaining administrative access to nodes through the BIG-IP system
If you only need to forward administrative traffic to your servers, and no other forwarding is required, there are several additional options for that detailed in this solution.

SOL473: Advantages and disadvantages of using IP forwarding
This is an old solution that summarizes the pros and cons of BIG-IP 4.x IP forwarding.  I only suggest reading it now to highlight the fact that LTM's approach retains the advantages and overcomes the disadvantages mentioned therein.


Get the Flash Player to see this player.
Published Feb 12, 2008
Version 1.0
adn
automation
management
monitoring
news
tech tip
  • Doug_24189's avatar
    Doug_24189
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2008
    I generally only recommend that when creating a 0.0.0.0/0 IP forwarding Virtual Server that you only enable it on internal VLANs. Network Virtual Servers (i.e. 192.168.10.0/24) are better to enable on external VLANs since they will only forward traffic destined for that particular network.

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Mar 13, 2008
    Good point, Doug, thanks.

     

     

    The LTM approach does offer much more granular traffic management options than BIG-IP 4.x did, so it definitely makes sense to refine your configuration in this manner when migrating.
  • Eslam_Ahmed_630's avatar
    Eslam_Ahmed_630
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2012
    Dears,

     

    i want to enable only ICMP packets through IP FWD VS but there is TCP and UDP only

     

    could u please advice,

     

    Thanks
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jan 27, 2012
    in the virtual server configuration, change the Type field to "Forwarding (IP) and the Protocol field to " * All Protocols" ..
  • jerry_125528's avatar
    jerry_125528
    Icon for Nimbostratus rankNimbostratus
    May 13, 2013
    Eslam Ahmed - create same profile just choose Protocols 'other' and put there number 1. Icmp is IP protocol number 1. With this you enable icmp routed traffic.