Forum Discussion

Michael_57131's avatar
Michael_57131
Icon for Nimbostratus rankNimbostratus
May 03, 2013

Asymmetric routing condition with two "external" networks

(Hopefully the attached PNG file shows, the red line is how the traffic is routed now, you can see the asymmetry, and the green line is how I'd like to force all traffic between these nodes)

 

We recently added an external interface on the F5 (external, meaning the firewall has the route, internal meaning the firewall has a static route to the F5).

 

When the interface was added and the IP address configured it broke our routing. Node A (default gateway is the F5) on the 10.101.246.0/24 network sent a packet to Node B on the 10.101.104.0/24 network. Since the F5 has a connection on this network, it took the least hops and sent out the request to node B on its interface on the 10.101.104.0/24.

 

Node B has a default gateway for the Firewall, so it sends the unicast IP packet to the firewall's MAC. The firewall does keep track of session state, doesn't have the initiation packet (since the F5 sent it out its direct interfface) and refuses the connection, effectively ending the communication between Node A and Node B.

 

We only need to configure a virtual server on the 10.101.104.0/24 network that will send it's traffic to node members of a pool on the 147.101.246.0/24. The F5 doesn't need to route anything for the 10.101.104.0/24 network.

 

Iis there an iRule or some configuration I can put on the F5 so it will never send traffic for nodes through the 104 interface and to always send these packets to the default gateway (the FW)? We do have virtual servers on the F5 with node pool members that are on the 10.101.104.0/24 network, but I'd want even this traffic to go through the firewall. The only traffic we require from the 104 directly connected is the desitnation address for the virtual server that will be on the 104 interface.

 

12 Replies