Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Big IP facing internet with private IP

Azzeddine_S
Cirrus
Cirrus

‎01-Feb-2023 02:31

Hi all,

I have a BIG ip to loadbalance to internet traffic through to ISPs, the first one gave public IP that i configure on the interface, but the second only forward to me the traffic on a private IP /32 segment .

when a device performs a health check it uses a self IP which is not routed over the internet and the ruslt that i can only monitor the front facing router but not internet ressources as 4.2.2.2 public DNS.

is there a way make the monitors traffic be translated or any other workaround which can help me(i sure i am not the first facing this case)

thanks a lot

Labels:
0 Kudos
5 REPLIES 5

CA_Valli
MVP
MVP

‎01-Feb-2023 05:44 - edited ‎01-Feb-2023 05:47

You'll need to enable transparent monitor setting in your monitor configuration, and specify 4.2.2.2 as alias address. 

0 Kudos

Paulius
MVP
MVP

‎01-Feb-2023 06:08

@Azzeddine_S Is the second connection that provides the private IP setup with a router between your F5 and the ISP or is the connection into the F5 a direct connection from the ISP because typically ISPs do not provide private IP space because of the issue you are referring to. As far as health monitors are concerned I would pick 1 destination to check on ISP 1 and a different destination to check on ISP 2. Once you have those different destinations picked you can configure a static route for each that points them to your gateway for the respective ISP. As an example you would have the following as long as the ISP will NAT your IP for ISP 2 if they really do provide you a private IP.

net route ISP_1_Monitor {
    description "ISP 1 destination for health monitor"
    gw <ISP_1_gateway_IP>
    network 4.2.2.2/32
}

net route ISP_2_Monitor {
    description "ISP 2 destination for health monitor"
    gw <ISP_2_gateway_IP>
    network 4.2.2.2/32
}

Once you have these routes configured you should be able to implement ECMP using the following guide.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-ecmp-mirrored-clus...

0 Kudos

Azzeddine_S
Cirrus
Cirrus

‎01-Feb-2023 06:54 - edited ‎01-Feb-2023 07:14

HI Paulius,

This is what i am already configuring but: 

  • when the BIG IP Monitor 4.2.2.2 through ISP-01 it uses the outbound Self IP which is Public and the traffic is routed correctly and the router Node is matked Up
  • when the BIG IP Monitor 4.2.2.2 through ISP-02 it uses the outbound Self IP which is Private and the traffic is automatically droped and the router Node is matked Down

for information user traffic is translated using pools.

it have to be a way to make the monitoring to use a non physical IP. 

0 Kudos

Paulius
MVP
MVP
In response to Azzeddine_S

‎01-Feb-2023 12:09

@Azzeddine_S On ISP what device translates your privat IP to a public IP in that case? The F5 shouldn't care about private or public as long as you specify a gateway on the same subnet and further down the line that device translates you from your private IP to a public IP. What troubleshooting have you performed to know that the traffic is indeed being dropped?

0 Kudos

Azzeddine_S
Cirrus
Cirrus

‎23-Feb-2023 06:02

Hi all,

our topology is similar to the folowing

Tpology_v1.0_2.png

The outging triffic is loadbalanced on two links :

for ISP-01 both the egress internet and monitoring traffic use the physical interface and every thing is ok since it has a public IP

for ISP-02 the outgoing interface has a private IP , the egress internet traffic is translated to a pool of IP and routed back from the ISP-02, but the monitoring traffic is generated with the physical IP as a source. whene it reaches the ISP router it is droped and the monitoring fails.

Tpology_v1.0.png

is there a way to force the monitoring to use a pool of IPs ?

thanks a lot

0 Kudos
Copyright © 2023 Khoros, LLC