Forum Discussion
The_Bhattman
Jul 05, 2011Nimbostratus
Posted By ltp on 07/05/2011 06:39 AM
After some though on the matter; I ended up creating an iRule on the wildcard virtual server on the backend VLAN to output some verbose logging for the purposes of gathering information form an LTM perspective.
What I found was that the return traffic from a client directly to a backend node (not via a VIP) was being PBR'ed as expected to the F5 self-IP on the backend node's VLAN. However, because the F5 was unaware of the initial traffic flow (it came via the network and not from the F5), the return traffic flow was seen as a client connection to the F5's, with the server being the original requesting client.
The solution was to use an exceedingly simple iRule on the wildcard virtual server for the backend VLAN to set the client nexthop to an F5 self-IP on a "external" VLAN.
Hi Ltp,
I believe i might have miss understood the reason why you used the pBR. If the goal was to reach the backend node perserving the IP address but not caring about a requirement to route via switch network directly, then you could do it where you do not need a PBR or SNATing at all. Smply have a route that points to F5 self-ip on the "external VLAN" to get to node address block (10.4.0.0/x) and then repoint the node's gateway to F5 self-ip on the "internal" vlan. The F5 wildcard virtual IP forwarding would allow the return traffic.
However, I am glad that it worked out for you.
Bhattman