cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Is InterVLAN Routing possible in F5

Nitesh
Altocumulus
Altocumulus

 

From below topology i want to ping from TEST_PC to firewall interface IP(172.16.3.254). From same TEST_PC i can ping WEB_SERVER. I am not sure why ping to firewall is not working. I have ping policy associated with Firewall interface. Reverse routing is in place on firewall pointing towards HA IP(172.16.3.100). Is InterVLAN routing even possible in LB ?

0691T00000DyrFaQAJ.png 

 

Thanks

1 ACCEPTED SOLUTION

Instead of "destination 172.16.3.254:any" use "0.0.0.0/0:any". This creates a full router without filter on source or destination IPs. The kernel's routing table is used to forward traffic.

View solution in original post

5 REPLIES 5

Nitesh
Altocumulus
Altocumulus

It started working after doing below config. But i couldn't ping to 172.16.1.x from 172.16.2.x. I tried changing destination ip to 0.0.0.0/0 or 172.16.0.0/16 but it didnt work.

 

ltm virtual Forwading_VS_MGMTPC {

   creation-time 2021-08-20:21:22:48

   destination 172.16.3.254:any

   ip-forward

   ip-protocol tcp

   last-modified-time 2021-08-21:10:00:37

   mask 255.255.255.255

   profiles {

       fastL4 { }

   }

   serverssl-use-sni disabled

   source 0.0.0.0/0

   source-address-translation {

       type automap

   }

   translate-address disabled

   translate-port disabled

   vs-index 6

}

 

Nitesh
Altocumulus
Altocumulus

Ho to configure Forwading VIP such as i can ping any IP addresses ? Futhermore i believe AutoMap doesn't play any role in Forwading VS. I tried packet capture and could see same source and dest ip. Source IP not getting translated.

Instead of "destination 172.16.3.254:any" use "0.0.0.0/0:any". This creates a full router without filter on source or destination IPs. The kernel's routing table is used to forward traffic.

This should work. F5 is a default-deny device meaning all traffic that does not match a Listener (Virtual Server in this case) or an active connection in table will be dropped.

 

To route packets, as Mike said, you will need to configure a VS with target network as your destination address. This can be anything, from a single IP 172.16.1.1:any to a network 172.16.0.0/16:any to 0.0.0.0/0:any that will match all traffic. If you want to filter which clients can talk with said network, you can modify "source" and "VLAN" options so that only clients whose traffic comes from a specific netowrk or on a specific VLAN will match the Routing VS.

 

AutoMap will NAT your Client IP with F5 self-ip address on the VLAN where traffic is routed. For non-connected networks you should specify routes in Network>Routes section. You can confirm which interface is used for egress with bash command "ip route get x.x.x.x"

Nitesh
Altocumulus
Altocumulus

  Thankyou very much