I have yet to get our appplication (product from standard networks) to source the the client IP address for auditing purposes. Application only works when SNAt is disabled. Is it possible to use the Big-IP as a router? Thanks.. I'm reaching!!!

Hi, The BIG-IP can route traffic without performing source address translation. Under the most common configurations, the BIG-IP would route symmetrically (ie the request and the response both go through the BIG-IP). To route symmetrically, if you don't have the BIG-IP perform address translation, the destination of the traffic needs to have a route to the source which goes through the BIG-IP. Typically you do this by setting the web server's default gateway to the floating IP on the server's VLAN. If you don't want to translate the source address, you can create a wildcard virtual server with SNAT disabled. If you want to specify a router or pool of routers, you can use a Forwarding IP VIP. If you want to just forward the requests according to the BIG-IP's routing table, you can use a Performance Layer 4 VIP. If you want to have the BIG-IP just forward asymmetrically, you can enable loose initiation and loose close on the FastL4 profile for your VIP. BIG-IP won't add the connections to its connection table. Take a look at the config guide for your version of LTM on AskF5 for more detail or reply here. Aaron

I have a couple loadbalanced windows servers configured with their defaultroute set to the BigIP's floating IP - works great except for when they attempt the mothership and it fails because the BigIP is not forwarding or returning the outbound packets and windows can't get its updates. We've added a few persistent routes so these nodes can route Microsoft traffic around the BigIP - but MS changes their IP nets all the time so this fails after a while. What is the best way (least disruptive) to allow the BigIPs to route this type of traffic? thanks, Fletch.

You could add a network virtual forwarder with address 0.0.0.0/0.0.0.0 specified to the tcp port that the servers phone home on, and enable it only on the vlan to which the servers are connected.

I tried your idea - this should have allowed 443 to pass - but its not...: virtual fwd65NetHTTPS { destination any:https ip forward ip protocol tcp translate service disable profile fastL4 vlans int65 enable } see anything wrong there? thanks

Do you have a route to the destination you're trying to hit?

Using Big-IP as a router

14 Replies

Hamish
Cirrocumulus
Jan 04, 2012
Make sure you remove the 'Reset on Timeout' option (Default is enabled on the default profiles) when setting loose open/close... Otherwise when the connection table entry expires you'll get the connections reset for you :)

And yes. You'll need a 0.0.0.0/0 network VS before traffic will pass**

H

** or a SNAT. But I don't like them for routing (Or much at any time unless really really necessary).
nitass
Employee
Jan 04, 2012
whats the today preferred settings if I (for example) just want to use the F5 as a router (or rather the case is to merge a Cisco-router and F5 into a single device)?just in case you have not yet seen this sol.

sol7595: Overview of IP forwarding virtual servers (Emulating stateless IP routing with BIG-IP LTM forwarding virtual servers)

http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html
mikand_61525
Nimbostratus
Jan 08, 2012
Thanks for the replies... seems like there are a bunch of outdated technotes out there.

What I have done so far (and initial tests shows that the packets (so far) is sent in right direction(s) :P) is to create a vserver (type:forwarding ip) with net/mask 0.0.0.0/0 acting on any protocol and create a custom fastL4 profile that has reset on timeout disabled along with loose open (and close) enabled.

Then did the same as above but acting on udp as protocol and a custom fastL4 profile for that also similar to above with the addition of state timeout set to 5 seconds instead of default 300.

So now I have two vservers:

VS_ROUTE

VS_ROUTE_UDP

Ohh and finally setup the static (or whatever) routes one need in the network part...

And thats it? :-)

Looking at the different types one can setup your vserver to I found "stateless" in v11.1 which isnt mentioned in the help-pages.

How does "stateless" differ from "forwarding ip" for what I want to do (at a first glanze one could think that stateless is a more optimized version of forwarding ip since I want the F5 to route the packets and not touch them at all (except for packets directed to other vservers))?
nitass
Employee
Jan 09, 2012
these are only information about stateless virtual i found.

UDP performance

This release provides UDP performance improvements through use of the Stateless virtual server type.

Release Note: BIG-IP LTM and TMOS version 10.2.3

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes-LTM-10-2-3.html

Stateless

A Stateless virtual server improves the performance of UDP traffic in specific scenarios. (v. 10.2.2 and later)

sol12272: Overview of virtual server types for BIG-IP version 10.x

http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12272.html

Forum Discussion

Using Big-IP as a router

14 Replies

Recent Discussions

F5 ASM logging profile to specify source IP

Portal Access to HTTPS resources slow

Cannot login to Avaya wanx using f5 apm network access

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

How to install lets encrypt on BIG IP

BIG IP VE FastL4

BIG IP 201 Cert

BIG-IP i2600 OS Versions

BIG IP VE on a single network