cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to make outbound traffic to flow through an F5

F5Newbie
Nimbostratus
Nimbostratus

Hello,

 

We have an F5 LTM that front our backend middleware server-pair in a HA setup. So F5 serves as a LB that forward incoming traffic to the active one.

 

But we also need the backend server initiated outbound communication session to go through the F5 and carries F5's address as the origin IP.

 

This is needed because we are replacing an existing standalone middleware server with this above F5-HA infrastructure. But we're experiencing some difficulty.

 

What do we need to do to make this above configuration possible?

11 REPLIES 11

Simon_Blakely
F5 Employee
F5 Employee

You create an Outbound Performance Layer 4 virtual server on the VLAN with a destination of 0.0.0.0 (all addresses). You will need to SNAT automap this traffic so the source IP address is changed to the bigIP external IP address. If you need to forward UDP traffic you will need to set the protocol to Any

You may also want to configure a custom Performance Layer 4 profile for this virtual with Loose Initiation and Loose Close.

 

You set the default gateway of devices in the vlan to the floating Self-IP address of the vlan.

 

When those devices try to make an outgoing connection, they send the packets to the mac address of the floating self-IP (which is the mac address of the Active BigIP). The destination address (on the internet) matches the wildcard destination of the outgoing VIP, and the BigIP routes the packet out according to the routing table. Returning traffic comes to the SNAT address (BigIP external floating self-IP), matches the existing connection table entry, and is passed to the source device.

 

 

Hi Simon,

After I configured as youd indicated (with SNAT = automap), I can ping google from the device (that uses F5 floatIP as default gateway). However, from my laptop (in VPN), I can't ping the device or RDP back into it.

When I change SNAT from 'automap' to 'none' in the Outbound vs, my laptop (in VPN) can now ping the device/RDP into it just fine but the device can't ping google.

What can I do to achieve both goal? (the device can do outbound traffic and I can ping/RDP into the device)

F5Newbie
Nimbostratus
Nimbostratus

Simon, ​thanks so much your insight!

Even though this mechanism seems to be way over my head, I got the underline principle.

 

Although I understand F5 LTM is only for load balancing inbound traffic, it seems unlikely what we need is a rarely encountered scenario. Isn't there a simpler way to meet such needs?

 

It is mandatory for us to make the migration from old to the new F5-HA infrastructure a transparent one as much as possible. Introducing extra BigIP components is not a feasible option at this time.

 

We have a sizable F5 team who configure devices for Load Balancing, that's the capacity we're engaging now. Expanding the scope would be a hard call.

 

Specifically, the middleware is IBM MQ. I tried to apply local address of the outbound channel to the F5's IP. But the channel process could not bind to the F5 IP.

> Although I understand F5 LTM is only for load balancing inbound traffic, it seems unlikely what we need is a rarely encountered scenario. Isn't there a simpler way to meet such needs?

 

I don't see a much simpler solution. This is very common, where the BigIP acts as the outbound gateway for the internal devices.

 

> Specifically, the middleware is IBM MQ. I tried to apply local address of the outbound channel to the F5's IP. But the channel process could not bind to the F5 IP.

 

I'm not really sure what you are trying to do here.

 

 

 

F5Newbie
Nimbostratus
Nimbostratus

Sorry, words are difficulty to explain what we need. So I put together the below diagram. What I want to achieve is a completely transparent migration with zero interruption to business. Ultimately, the migration is to save money - taxpayer's money. Hope the diagram is clearer.

 

thanks so much for your input!

the drawing shows what you explained before and what Simon says seems to be the solution. it is a pretty common setup.

 

but then you add information about local channels and bind addresses and such. that doesn't become more clear in the drawing unfortunately. you probably will have to show some more of about the middleware for someone to understand that part and perhaps chip in.

 

what kind of outbound traffic is it, perhaps that helps? i.e. can you test with a ping or something?

Yeah, the solution I provided should solve that problem as described in the picture. But there may be other issues I am not aware of.

 

> What I want to achieve is a completely transparent migration with zero interruption to business. Ultimately, the migration is to save money - taxpayer's money. Hope the diagram is clearer.

 

While you have laudable aims, you probably need to make a choice between your goals.

You can save money, and risk having disruptions, or you can accept that a seamless migration with minimal disruption will include the cost of engaging F5 Professional Services.

 

Even a solid discussion with your F5 Account team/F5 Sales will put you on a better footing.

While the DevCentral is a great resource, it isn't a support organisation, and if you have an issue on the day there isn't anyone to call. If the migration is critical, engage with the people who do things like this professionally. Even if it costs a bit more.

F5Newbie
Nimbostratus
Nimbostratus

Thank you so much Simon and boneyard!

 

I did quite some reading. Now I understand your initial suggestion a lot better.

 

It seems a second F5 will be needed to perform source NAT for outbound communication sessions so all departing traffic carries the IP of the inbound F5, or original VIP address. Maybe one day there will be a F5 device that can handle both inbound and outbound sessions?

 

Armed with the understanding, I'll engage our F5 team to devise a solution to our Middleware challenge.

> It seems a second F5 will be needed to perform source NAT for outbound communication sessions so all departing traffic carries the IP of the inbound F5, or original VIP address. Maybe one day there will be a F5 device that can handle both inbound and outbound sessions?

 

I don't understand where you got that idea from. It is perfectly feasible to implement this in a single LTM device. As I say, this is very common and does not require multiple BigIP devices.

F5Newbie
Nimbostratus
Nimbostratus

Wow, that's enlightening statement to read!

 

Would you mind pointing me to the right document? From your first response, I got the impression that multiple devices in a complex configuration would be needed to meet our need - apparently due to my lack of knowledge. Also an F5 engineer told me F5 is just for load balancing inbound traffic, and nothing more.

 

It seems I have to understand and speak the BigIP language to understand and explain my need. So reading the right documentation will be paramount. I have read through the BIG-IP® Local Traffic Management: Basics, so have a minimum idea.

 

thank you so much!

here are some resources to look at:

 

https://devcentral.f5.com/s/question/0D51T00007MyRgs/apm-sso-breaks-rdp-persistence - uses forwarding IP, Performance (Layer 4) is another option

 

more information on IP forwarding virtual server: https://support.f5.com/csp/article/K7595 - again many of the principles can be applied to Performance (Layer 4)

 

https://devcentral.f5.com/s/question/0D51T00006i7bEG/outbound-traffic-from-internal-vlan-server