Good call, @CA_Valli. In fact, early days of v9 when I was a customer, my SEs recommended as a best practice to avoid defining a self-IP on the public facing interface for DMZ-deployed boxes.
I tried to define a VS using the new subnet address before I did anything, with destination/mask setting to. say. 192.168.31.250/23 or 192.168.31.250/255.255.254.0. But LTM complaints the value is invalid. I can only provide a mask of 255.255.255.255 or simply no mask at all.
Possible to specify the correct netmask (/23) in virtual server destination ?
Hi @ST_Wong the virtual server listens on a host or range of hosts as a CIDR block. So if you are trying to establish a /23 network for the virtual server to listen on, then it needs to be a valid network address to do so. If you are only wanting to listen to the 192.168.31.250 host, then you do not need to specify the mask on the destination at all.
The virtual server is not an L3 routing table. Routes assure that traffic gets to/from the BIG-IP, the virtual server is how traffic flows through the BIG-IP.
Inbound traffic now works, however, the default gateway on original subnet 192.168.8.0/24 seems won't help routing traffic for 192.168.31.0/23. All outbound traffic to non-local network got timeout.
Can we forward outbound traffic for the new IP range 192.168.31.0/23 to corresponding gateway 192.168.31.254 ?
a diagram of what's local and what's remote and where you're wanting traffic to route would be helpful.
Just note a couple things:
auto-lasthop will return application traffic responses to where it came from unless you disable that behavior, so for response traffic anyway, you don't even need a default route from BIG-IP.
An effective route is not enough to forward traffic through BIG-IP, you need to enable a network forwarding virtual server that is enabled on the ingress vlan in order for traffic initiating from that ingress network to egress the BIG-IP to another vlan.
VLAN 123
________________|_______________
| |
192.168.8.0/24 192.168.30.0/23
(gw 192.168.8.67) (gw 192.168.31.254)
|
LTM (self IP on 192.168.8.0/24)
|
VS (192.168.31.250/23)
Some test results when ping from host (192.168.31.250)
* To 192.168.8.0/24: OK, except the gateway 192.168.8.67
* To all other networks: no response
Inbound traffic from anywhere to the VS is okay.
Since the outbound packet goes through gw 192.168.8.67, i wonder if the gw will route any reply to 192.168.30.0/23, where the packets will be discarded to prevevnt IP spoofing. Just wild guess...
Can I configure LTM to send outbound packets for 192.168.30.0/23 through gw 192.168.31.254 instead of using default gateway of LTM 192.168.8.67 ? Sorry for the newbie question.
