Big IP facing internet with private IP

Azzeddine_S · ‎01-Feb-2023

Hi all,

I have a BIG ip to loadbalance to internet traffic through to ISPs, the first one gave public IP that i configure on the interface, but the second only forward to me the traffic on a private IP /32 segment .

when a device performs a health check it uses a self IP which is not routed over the internet and the ruslt that i can only monitor the front facing router but not internet ressources as 4.2.2.2 public DNS.

is there a way make the monitors traffic be translated or any other workaround which can help me(i sure i am not the first facing this case)

thanks a lot

CA_Valli · ‎01-Feb-2023

You'll need to enable transparent monitor setting in your monitor configuration, and specify 4.2.2.2 as alias address.

Paulius · ‎01-Feb-2023

@Azzeddine_S Is the second connection that provides the private IP setup with a router between your F5 and the ISP or is the connection into the F5 a direct connection from the ISP because typically ISPs do not provide private IP space because of the issue you are referring to. As far as health monitors are concerned I would pick 1 destination to check on ISP 1 and a different destination to check on ISP 2. Once you have those different destinations picked you can configure a static route for each that points them to your gateway for the respective ISP. As an example you would have the following as long as the ISP will NAT your IP for ISP 2 if they really do provide you a private IP.

net route ISP_1_Monitor {
    description "ISP 1 destination for health monitor"
    gw <ISP_1_gateway_IP>
    network 4.2.2.2/32
}

net route ISP_2_Monitor {
    description "ISP 2 destination for health monitor"
    gw <ISP_2_gateway_IP>
    network 4.2.2.2/32
}

Once you have these routes configured you should be able to implement ECMP using the following guide.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-ecmp-mirrored-clus...

Azzeddine_S · ‎01-Feb-2023

HI Paulius,

This is what i am already configuring but:

when the BIG IP Monitor 4.2.2.2 through ISP-01 it uses the outbound Self IP which is Public and the traffic is routed correctly and the router Node is matked Up
when the BIG IP Monitor 4.2.2.2 through ISP-02 it uses the outbound Self IP which is Private and the traffic is automatically droped and the router Node is matked Down

for information user traffic is translated using pools.

it have to be a way to make the monitoring to use a non physical IP.

Paulius · ‎01-Feb-2023

@Azzeddine_S On ISP what device translates your privat IP to a public IP in that case? The F5 shouldn't care about private or public as long as you specify a gateway on the same subnet and further down the line that device translates you from your private IP to a public IP. What troubleshooting have you performed to know that the traffic is indeed being dropped?

Azzeddine_S · ‎23-Feb-2023

Hi all,

our topology is similar to the folowing

The outging triffic is loadbalanced on two links :

for ISP-01 both the egress internet and monitoring traffic use the physical interface and every thing is ok since it has a public IP

for ISP-02 the outgoing interface has a private IP , the egress internet traffic is translated to a pool of IP and routed back from the ISP-02, but the monitoring traffic is generated with the physical IP as a source. whene it reaches the ISP router it is droped and the monitoring fails.

Tpology_v1.0.png

is there a way to force the monitoring to use a pool of IPs ?

thanks a lot

DevCentral

Big IP facing internet with private IP

Khoros Kudos Award 2022