cancel
Showing results for 
Search instead for 
Did you mean: 

Newbie LTM lab setup question

Brerr
Nimbostratus
Nimbostratus

I'm setting up a lab to do v simple LTM Load balancing, I have a small/medium knowledge of f5 and have got quite a way in but am struggling at what I think is the final hurdle

I have 2 VMS (192.168.33.20 and 21) Which I have successfully setup as nodes (they are recursive DNS servers), I have also setup a monitor which I can see traffic coming from the f5 (using tcpdump) doing DNS queries.

I have a virtual server 10.0.0.10 which is configured to use the two pool members mentioned above.

If I send DNS query traffic to 10.0.0.10 I can see the traffic appear on the nodes but they don't send traffic (DNS Answers) back because they don't have a route to 10.x

So I'm a little stuck on what to do next. I *think* it's something to do with SNAT and or Automap as I seem to remember having a similar issue years ago (the last time I setup a lab) but my memory is failing me (its the old age)

Can anyone point me in the right direction.

Apologies if there isn't enough detail here but it was difficult to work out to what level I needed to go to so if you need anything else let me know.

I *think* this is a fairly common/easy question though (hopefully)

Thanks

Brett

5 REPLIES 5

What is default gateway configured on DNS servers??

If it is not F5 Ip then in your case, it will cause Assymetric routing issues. This is because DNS servers response will not go through F5 and session will be incomplete. So to avoid this situation, SNAT is the option that you are talking about. By keeping SNAT settings to automap, you can overcome Assymetric routing​ issues and response from DNS will go via F5.

Please enable SNAT and then check traffic.

Mayur​

Thanks for the reply really appreciated, that has helped my understanding a little but not solved my problem. The DNS servers as you guessed do not have a default gateway pointing at the f5s.

The virtual server is 10.0.0.10

The selfip is 10.0.0.100

The VM (linux1) is 192.168.33.20

I'm sending the dns query to 10.0.0.10 and can see it appearing on the vm as follows

Without SNAT

19:01:09.559313 IP 10.0.0.1.64843 > linux1.domain: 10311+ [1au] A? www.pwei.org.uk. (44)

With SNAT automap

19:03:07.364072 IP 10.0.0.101.50310 > linux1.domain: 47897+ [1au] A? www.pwei.org.uk. (44)

 

As you can see both of these are from 10.x which will not work as the VM will answer this down it's default gateway (Which is on a different interface on the VM)

 

I think the DNS query would have to come from the 192.168.33.0/24 network for this to work.

 

Thoughts?

 

Thanks

 

Brett

I am happy to know that my earlier response helped you to get understanding about SNAT.

 

Moving ahead,

1. can you please provide configuration done on VS and also routes present on F5.

2. On your point which is related to having DNS query coming from subnet 192.168.33.0/24, this is one approach but one question here, is DNS servers knows F5 subnet (10.0.0.x). What are the routes on servers/VM?

Also as its Linux VM , can you please check IP tables on it if any?

 

Mayur

 

 

 

 

  1. Virtual server config pasted below:

show running-config ltm virtual

ltm virtual VS1-10.0.0.10-TCP {

  description VS1-TCP

  destination 10.0.0.10:domain

  ip-protocol tcp

  mask 255.255.255.255

  pool Pool1

  profiles {

    tcp { }

  }

  source 0.0.0.0/0

  source-address-translation {

    type automap

  }

  translate-address enabled

  translate-port enabled

  vs-index 4

}

ltm virtual VS1-10.0.0.10-UDP {

  description VS1-UDP

  destination 10.0.0.10:domain

  ip-protocol udp

  mask 255.255.255.255

  pool Pool1

  profiles {

    udp { }

  }

  source 0.0.0.0/0

  source-address-translation {

    type automap

  }

  translate-address enabled

  translate-port enabled

  vs-index 3

}

 

Below is routing table on the f5 using netstat -nr

 

 netstat -nr

Kernel IP routing table

Destination  Gateway    Genmask    Flags MSS Window irtt Iface

127.1.1.0   0.0.0.0    255.255.255.0 U    0 0     0 tmm

10.0.0.0    0.0.0.0    255.255.255.0 U    0 0     0 internal

192.168.1.0  0.0.0.0    255.255.255.0 U    0 0     0 eth0

192.168.33.0  0.0.0.0    255.255.255.0 U    0 0     0 external

192.168.59.0  0.0.0.0    255.255.255.0 U    0 0     0 HA

127.7.0.0   127.1.1.253  255.255.0.0  UG    0 0     0 tmm

127.20.0.0   0.0.0.0    255.255.0.0  U    0 0     0 tmm_bp

0.0.0.0    192.168.1.254 0.0.0.0    UG    0 0     0 eth0

 

The DNS Servers have two interfaces (one shown below as an example)

 

eth0: 192.168.1.20/24 gw 192.168.1.254 This is a bridged network on the laptop, connected also to the management interface of the f5 (192.168.1.110)

eth1: 192.168.33.20/24 no gw. This is a host only network on the laptop also connected to the f5 (192.168.33.10)

There is no iptables running on the linux VMs

 

Below is routing table on vm using netstat -nr

 

Destination  Gateway    Genmask    Flags MSS Window irtt Iface

0.0.0.0    192.168.1.254 0.0.0.0    UG    0 0     0 eth0

169.254.0.0  0.0.0.0    255.255.0.0  U    0 0     0 eth1

192.168.1.0  0.0.0.0    255.255.255.0 U    0 0     0 eth0

192.168.33.0  0.0.0.0    255.255.255.0 U    0 0     0 eth1

 

So as you can see the linux VMs do not know about 10.x

 

My aim is to get this working as simply as possible (its just a lab) but also in a way that would typically be done in production.

 

Thanks again for your help I really appreciate it.

 

Brett

I do not see any issues with the VS configuration, but yes there is issue for reverse traffic from VM to the F5. You can achieve connectivity either by having one nic of VM in subnet 10.x or add Self IP on F5 which will be in subnet 192.168.33.x. And add required routes.

 

This way the return path for the traffic will be clear.

 

Mayur