Forum Discussion

Brerr's avatar
Brerr
Icon for Nimbostratus rankNimbostratus
Apr 14, 2020

Newbie LTM lab setup question

I'm setting up a lab to do v simple LTM Load balancing, I have a small/medium knowledge of f5 and have got quite a way in but am struggling at what I think is the final hurdle

I have 2 VMS (192.168.33.20 and 21) Which I have successfully setup as nodes (they are recursive DNS servers), I have also setup a monitor which I can see traffic coming from the f5 (using tcpdump) doing DNS queries.

I have a virtual server 10.0.0.10 which is configured to use the two pool members mentioned above.

If I send DNS query traffic to 10.0.0.10 I can see the traffic appear on the nodes but they don't send traffic (DNS Answers) back because they don't have a route to 10.x

So I'm a little stuck on what to do next. I *think* it's something to do with SNAT and or Automap as I seem to remember having a similar issue years ago (the last time I setup a lab) but my memory is failing me (its the old age)

Can anyone point me in the right direction.

Apologies if there isn't enough detail here but it was difficult to work out to what level I needed to go to so if you need anything else let me know.

I *think* this is a fairly common/easy question though (hopefully)

Thanks

Brett

5 Replies

  • What is default gateway configured on DNS servers??

    If it is not F5 Ip then in your case, it will cause Assymetric routing issues. This is because DNS servers response will not go through F5 and session will be incomplete. So to avoid this situation, SNAT is the option that you are talking about. By keeping SNAT settings to automap, you can overcome Assymetric routing​ issues and response from DNS will go via F5.

    Please enable SNAT and then check traffic.

    Mayur​

    • Brerr's avatar
      Brerr
      Icon for Nimbostratus rankNimbostratus

      Thanks for the reply really appreciated, that has helped my understanding a little but not solved my problem. The DNS servers as you guessed do not have a default gateway pointing at the f5s.

      The virtual server is 10.0.0.10

      The selfip is 10.0.0.100

      The VM (linux1) is 192.168.33.20

      I'm sending the dns query to 10.0.0.10 and can see it appearing on the vm as follows

      Without SNAT

      19:01:09.559313 IP 10.0.0.1.64843 > linux1.domain: 10311+ [1au] A? www.pwei.org.uk. (44)

      With SNAT automap

      19:03:07.364072 IP 10.0.0.101.50310 > linux1.domain: 47897+ [1au] A? www.pwei.org.uk. (44)

       

      As you can see both of these are from 10.x which will not work as the VM will answer this down it's default gateway (Which is on a different interface on the VM)

       

      I think the DNS query would have to come from the 192.168.33.0/24 network for this to work.

       

      Thoughts?

       

      Thanks

       

      Brett

  • I am happy to know that my earlier response helped you to get understanding about SNAT.

     

    Moving ahead,

    1. can you please provide configuration done on VS and also routes present on F5.

    2. On your point which is related to having DNS query coming from subnet 192.168.33.0/24, this is one approach but one question here, is DNS servers knows F5 subnet (10.0.0.x). What are the routes on servers/VM?

    Also as its Linux VM , can you please check IP tables on it if any?

     

    Mayur

     

     

     

    • Brerr's avatar
      Brerr
      Icon for Nimbostratus rankNimbostratus

       

      1. Virtual server config pasted below:

      show running-config ltm virtual

      ltm virtual VS1-10.0.0.10-TCP {

        description VS1-TCP

        destination 10.0.0.10:domain

        ip-protocol tcp

        mask 255.255.255.255

        pool Pool1

        profiles {

          tcp { }

        }

        source 0.0.0.0/0

        source-address-translation {

          type automap

        }

        translate-address enabled

        translate-port enabled

        vs-index 4

      }

      ltm virtual VS1-10.0.0.10-UDP {

        description VS1-UDP

        destination 10.0.0.10:domain

        ip-protocol udp

        mask 255.255.255.255

        pool Pool1

        profiles {

          udp { }

        }

        source 0.0.0.0/0

        source-address-translation {

          type automap

        }

        translate-address enabled

        translate-port enabled

        vs-index 3

      }

       

      Below is routing table on the f5 using netstat -nr

       

       netstat -nr

      Kernel IP routing table

      Destination  Gateway    Genmask    Flags MSS Window irtt Iface

      127.1.1.0   0.0.0.0    255.255.255.0 U    0 0     0 tmm

      10.0.0.0    0.0.0.0    255.255.255.0 U    0 0     0 internal

      192.168.1.0  0.0.0.0    255.255.255.0 U    0 0     0 eth0

      192.168.33.0  0.0.0.0    255.255.255.0 U    0 0     0 external

      192.168.59.0  0.0.0.0    255.255.255.0 U    0 0     0 HA

      127.7.0.0   127.1.1.253  255.255.0.0  UG    0 0     0 tmm

      127.20.0.0   0.0.0.0    255.255.0.0  U    0 0     0 tmm_bp

      0.0.0.0    192.168.1.254 0.0.0.0    UG    0 0     0 eth0

       

      The DNS Servers have two interfaces (one shown below as an example)

       

      eth0: 192.168.1.20/24 gw 192.168.1.254 This is a bridged network on the laptop, connected also to the management interface of the f5 (192.168.1.110)

      eth1: 192.168.33.20/24 no gw. This is a host only network on the laptop also connected to the f5 (192.168.33.10)

      There is no iptables running on the linux VMs

       

      Below is routing table on vm using netstat -nr

       

      Destination  Gateway    Genmask    Flags MSS Window irtt Iface

      0.0.0.0    192.168.1.254 0.0.0.0    UG    0 0     0 eth0

      169.254.0.0  0.0.0.0    255.255.0.0  U    0 0     0 eth1

      192.168.1.0  0.0.0.0    255.255.255.0 U    0 0     0 eth0

      192.168.33.0  0.0.0.0    255.255.255.0 U    0 0     0 eth1

       

      So as you can see the linux VMs do not know about 10.x

       

      My aim is to get this working as simply as possible (its just a lab) but also in a way that would typically be done in production.

       

      Thanks again for your help I really appreciate it.

       

      Brett

  • I do not see any issues with the VS configuration, but yes there is issue for reverse traffic from VM to the F5. You can achieve connectivity either by having one nic of VM in subnet 10.x or add Self IP on F5 which will be in subnet 192.168.33.x. And add required routes.

     

    This way the return path for the traffic will be clear.

     

    Mayur