Forum Discussion

Martin_Vlasko's avatar
Martin_Vlasko
Icon for Altocumulus rankAltocumulus
Feb 20, 2017

LTM source based routing, different default gateway for each Vlan

Hi all,

I would like to get my routing assumptions confirmed by somebody who already has the experience with source based routing on LTM. Or in case the assumption is not correct, I would be happy to get help with it.

Imagine following situation. Servers reside in Vlan A and Vlan B behind a firewall. Each Vlan has a subinterface on the firewall and the firewall's IP is the default gateway for particular Vlan. This is clear, no need for any special routing:
        |                  |
-----------------------------------
|             FIREWALL            |
|                                 |
|   10.0.1.1           10.0.2.1   |
-----------------------------------
        |                  |
        |                  |
      VLAN A             VLAN B
        |                  |
        |                  |
     SERVERS            SERVERS
    10.0.1.60          10.0.2.60
    10.0.1.61          10.0.2.61

Now I need to be able to do some load balancing in both Vlans so I introduce LTM in the following way:
        |                  |
-----------------------------------
|             FIREWALL            |
|                                 |
|   10.0.1.1           10.0.2.1   |
-----------------------------------
        |                  |
        |                  |
      VLAN A             VLAN B
        |                  |
        |                  |
---------------------------------------
|  VIP:10.0.1.15      VIP:10.0.2.15   |
|               F5 LTM                |
|                                     |
| SNAT:10.0.1.25     SNAT:10.0.2.25   |
---------------------------------------
        |                  |
        |                  |
      VLAN A             VLAN B
        |                  |
        |                  |
     SERVERS            SERVERS
    10.0.1.60          10.0.2.60
    10.0.1.61          10.0.2.61

So the LTM (VIP, SNAT) shares the same subnet with backend servers.

This allows clients to reach the backend servers either way:

  • directly from the firewall: client->firewall->server and on the way back it's server's default gateway which points the packet from the server back to firewall.
  • via LTM through VIP: client->firewall->VIP->SNAT->server. On the way back the server sends the packet back to SNAT, so it's: server->SNAT->VIP->firewall->client.

Now to my routing question. I don't know the IPs of our clients, they can come from any subnet. So on the F5 I need a default route towards firewall for each Vlan, but response packet must adhere to the same Vlan through which the request came in, otherwise the firewall will drop the response packet (anti-spoofing). Basically I need to achieve the following, for example:
REQUEST: client 123.1.1.1 -> firewall 10.0.1.1 -> F5 VIP 10.0.1.15 -> F5 SNAT 10.0.1.25 -> SRV 10.0.1.60
RESPONSE: 10.0.1.60 -> 10.0.1.25 -> 10.0.1.15 -> !!! 10.0.1.1 !!! -> 123.1.1.1

REQUEST: client 123.1.1.1 -> firewall 10.0.2.1 -> F5 VIP 10.0.2.15 -> F5 SNAT 10.0.2.25 -> SRV 10.0.2.60
RESPONSE: 10.0.2.60 -> 10.0.2.25 -> 10.0.2.15 -> !!! 10.0.2.1 !!! -> 123.1.1.1

  1. Does the Auto Last Hop feature solves this 'source based routing' problem?
  2. If it does, do I still need anything else in F5 routing table, for example to reach the backend servers? Or can I leave the routing table empty (assuming F5 should be able to reach directly attached networks)?

Thanks.

Martin

1 Reply

  • The F5 will not need any additional routing. The BIG-IP is a full proxy. This results in two TCP connections: clientside and serverside. So for your example these will be:

    client:123.1.1.1 -> F5 VIP 10.0.1.15 (clientside)
    F5 SNAT 10.0.1.25 -> SRV 10.0.1.60 (serverside)
    

    There will be no drops on the firewall due to spoofing, because the firewall will only see the legitimate clientside connection. The serverside connection will not pass the firewall because it's a connection within the same vlan.