Forum Discussion

Azzeddine_S's avatar
Azzeddine_S
Icon for Cirrus rankCirrus
Feb 01, 2023

Big IP facing internet with private IP

Hi all,

I have a BIG ip to loadbalance to internet traffic through to ISPs, the first one gave public IP that i configure on the interface, but the second only forward to me the traffic on a private IP /32 segment .

when a device performs a health check it uses a self IP which is not routed over the internet and the ruslt that i can only monitor the front facing router but not internet ressources as 4.2.2.2 public DNS.

is there a way make the monitors traffic be translated or any other workaround which can help me(i sure i am not the first facing this case)

thanks a lot

application delivery

5 Replies

Sort By
  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Feb 01, 2023

    You'll need to enable transparent monitor setting in your monitor configuration, and specify 4.2.2.2 as alias address. 

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Feb 01, 2023

    Azzeddine_S Is the second connection that provides the private IP setup with a router between your F5 and the ISP or is the connection into the F5 a direct connection from the ISP because typically ISPs do not provide private IP space because of the issue you are referring to. As far as health monitors are concerned I would pick 1 destination to check on ISP 1 and a different destination to check on ISP 2. Once you have those different destinations picked you can configure a static route for each that points them to your gateway for the respective ISP. As an example you would have the following as long as the ISP will NAT your IP for ISP 2 if they really do provide you a private IP.

    net route ISP_1_Monitor {
    description "ISP 1 destination for health monitor"
    gw <ISP_1_gateway_IP>
    network 4.2.2.2/32
}

net route ISP_2_Monitor {
    description "ISP 2 destination for health monitor"
    gw <ISP_2_gateway_IP>
    network 4.2.2.2/32
}

    Once you have these routes configured you should be able to implement ECMP using the following guide.

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-ecmp-mirrored-clustering-12-1-0/1.html

  • Azzeddine_S's avatar
    Azzeddine_S
    Icon for Cirrus rankCirrus
    Feb 01, 2023

    HI Paulius,

    This is what i am already configuring but: 

    • when the BIG IP Monitor 4.2.2.2 through ISP-01 it uses the outbound Self IP which is Public and the traffic is routed correctly and the router Node is matked Up
    • when the BIG IP Monitor 4.2.2.2 through ISP-02 it uses the outbound Self IP which is Private and the traffic is automatically droped and the router Node is matked Down

    for information user traffic is translated using pools.

    it have to be a way to make the monitoring to use a non physical IP. 

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP
      Feb 01, 2023

      Azzeddine_S On ISP what device translates your privat IP to a public IP in that case? The F5 shouldn't care about private or public as long as you specify a gateway on the same subnet and further down the line that device translates you from your private IP to a public IP. What troubleshooting have you performed to know that the traffic is indeed being dropped?

  • Azzeddine_S's avatar
    Azzeddine_S
    Icon for Cirrus rankCirrus
    Feb 23, 2023

    Hi all,

    our topology is similar to the folowing

    The outging triffic is loadbalanced on two links :

    for ISP-01 both the egress internet and monitoring traffic use the physical interface and every thing is ok since it has a public IP

    for ISP-02 the outgoing interface has a private IP , the egress internet traffic is translated to a pool of IP and routed back from the ISP-02, but the monitoring traffic is generated with the physical IP as a source. whene it reaches the ISP router it is droped and the monitoring fails.

    is there a way to force the monitoring to use a pool of IPs ?

    thanks a lot