I want to build a multi-tenant web hosting environment. To make things simple, I want to keep multiple external vlans (single vlan and /24/customer) and one internal vlan only. The servers are situated behind another internal firewall zones. I would like to keep one interface of internal firewall connecting logically to my LB on internal vlan and ingress interface with servers with sub interfaces configured. The SNAT pool can be automaped or we can use SNAT pool of internal vlan subnet range. The pool members for each customer belongs to separate /24. Ther question is if it is possible to have traffic from multiple external vlans and going to single internal vlan for both forward and reverse traffic from servers. Below is the sample configuration for one customer. For every other customer, we have separate external subnet and separate pool members subnet.
Customer will type www.abc.com on their browser
ABC.com (Registered to public IP/DNS) (22.214.171.124)
Interface facing external public IP ?
Interface facing to internal network 10.10.10.1
Will hit on perimeter firewall and get translated to 10.10.10.10 (VIP for abc.com). Firewall will forward traffic to internal interface facing LB.
LB external interface 10.10.10.254
VIP (abc.com) 10.10.10.10 (Tagged interface to carry multiple external vlans each for one customer)
Internal Interface 192.168.1.254 (This interface can be built as untagged interface and switch port will be access port)
Pool Members (Cust web servers): (126.96.36.199-188.8.131.52)
A static route to be added to reach network 184.108.40.206/24 via 192.168.1.1
SNAT automap can be used which will vary interface address .254 but it is restricted to 65000 sessions. We can reserve 10 IPs from 192.168.1.0/24 network to use as SNAT Pool by monitoring total number of sessions.
interface facing LB 192.168.1.1
Interface facing servers 220.127.116.11
Servers to have static route to reach 192.168.1.0/24 network via 18.104.22.168
What is the software version?
"The[ir] question is if it is possible to have traffic from multiple external vlans and going to single internal vlan for both forward and reverse traffic from servers."
We have several data centers with F5s operating in a similar fashion. Multiple external VLANs to multiple internal VLANs (however one VLAN in specific is most used). We use SNAT pools, but since you only have one Internal automap should be okay. No issue with carrying multiple VLANs, we actually carry both external and internal on the same trunk. (F5-on-a-stick) Static route to get to 22.214.171.124/24 is a must.
automap is enough