BIG-IP in DMZ - Reverse traffic to public subnets clarification
Hi guys, Please help with understanding routing on BIG-IP LTM device. We are using quite old version on the box - 10.2.4. The problem we are having is related to traffic flows from border firewall which is connected to public subnet and F5 load balancer. We are experiencing connectivity problems from outside to server pool behind the load balancer after we perform switch over operation on firewall cluster from primary to secondary node. Both firewall devices are in sync so they are using the same configuration and during switchover the secondary device just taking VIPs from primary. I suspect that the issue lies on the LTM side. What I can't understand right now is how BIG-IP is returning traffic back from the pool to the clients in the Internet if the load-balancer is in the DMZ already (it doesn't have public IPs assigned). Border firewall perform NAT translation for destination IP address leaving the clients public IPs unchanged. This changed packet is reaching LTM vServer in the VLAN20 (please take a look on the attached diagram) and based on the vServer settings traffic is directed to POOL of Web servers with source changed to self-IP of LTM (because of SNAT automap config). But the reverse path is not clear. Traffic is forwarder to LTM which in its turn will substitute original public IP address of the Internet's client. What then? Traffic will be directed based on routing table? But in that case asymmetric routing will happen because in our case default route is pointing to different VLAN. Here is our vserver config ltm virtual VS_VSERVER { destination 10.0.20.150:https ip-protocol tcp mask 255.255.255.255 partition APP20 persist { TST_cookiePersistence { default yes } } pool POOL_WEB1 profiles { TST_http_headerSource { } example.com { context clientside } tcp { } } rules { TST_redir } snat automap } Thank you very much!
Working without SNAT to see original client IP
Hi, In order to see the original client IP accessing a pool member from the WAN, I've disabled SNAT, then, because of assymetric routing the connection stopped working, so I've set the pool member server (windows server) DG IP address to be the F5 internal IP of that specific VLAN, then the connection was working again and I could see the original cliene IP accessing the pool member, but I lost connectivity to that server from my workstation since the routing to that VLAN in our LAN environment is done via our backbone switches / FW . How can I keep the above configuration (no SNAT, DG of pool member is the F5 IP instead of our FW IP) and still have access to that server inside the LAN ? Thank you.
Virtual Server using external site as pool member, routing problem?
I believe my issue is pretty straight forward but I'm not able to get it going. I'm not able to use an external host ( a host that my F5 does not have direct access to via one of its vlans ) as a pool number. No issues when using any hosts on any of the different vlans connected directly to the f5. I imagine the virtual host doesn't know how to route out of the network to access the external host, I'm just not sure where exactly I should be defining a "Default Gateway" for the f5 to route things?
