Publicly accessible internal VLAN

You want to look at "Loose Intiate"

 

 

https://support.f5.com/kb/en-us/solutions/public/5000/400/sol5420.html

 

 

Occasionally, it may be necessary for the BIG-IP Local Traffic Manager (LTM) to pass asynchronous packets from a server. For example, if the BIG-IP LTM is deployed in a one-IP network topology with the node servers configured to use the BIG-IP as their gateway, and a client from a remote network connects directly to the node server (that is, sends a SYN packet directly to the node server), the node server's SYN/ACK response packet will be sent to the client through the BIG-IP LTM. If the BIG-IP LTM is not configured to accept and pass this packet, the packet will be dropped and the connection will fail.

 

In order to pass traffic to the client's network, you must configure the BIG-IP LTM with a forwarding virtual server. Typically, you would use a network or wildcard forwarding virtual server.

 

 

To enable BIG-IP to pass the asynchronous SYN/ACK packet, you must enable the Loose Initiation option in the FastL4 profile that is used by the forwarding virtual server.

 

 

Enabling Loose Initiation causes the system to initialize a connection when it receives any TCP packet, rather that requiring a SYN packet for connection initiation.

 

 

Enabling Loose Initiation on the FastL4 profile

 

Note: It is recommended that if you enable the Loose Initiation option, you also enable the Loose Close option. The Loose Close option specifies that the system closes a loosely-initiated connection when the system receives the first FIN packet from either the client or the server.

 

 

Important: Enabling Loose Initiation can permit stray packets to pass through the system. This can pose a security risk and reduce system performance.

 

 

To enable Loose Initiation on the FastL4 profile, perform the following steps:

 

 

From the Configuration utility, click Local Traffic.

 

 

Click Profiles.

 

 

From the Protocol dropdown tab, click FastL4.

 

 

Click the FastL4 profile used by your IP forwarding virtual server.

 

 

Check the Enabled checkbox for Loose Initiation.

 

 

Check the Enabled checkbox for Loose Close, if desired.

 

 

Click the Update button.

You could allow this to work using the loose initiate and possibly loose close options on a custom FastL4 profile, but it would be more efficient to configure LTM and the related network devices to route these connections symmetrically. See SOL7229 for details on allowing admin access to hosts behind LTM:

 

 

SOL7229: Methods of gaining administrative access to nodes through the BIG-IP system

 

https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7229.html

 

 

One option would be to add a route for your hosts through LTM. This would allow you to use the original host address for the connections. Another option would be to set up one to one VS's. This would require a new IP address on LTM for each host.

 

 

Aaron

Thank you very much to both of you!

 

 

I enabled loose initiate on the FastL4 profile and it works very well. Thank you, Chris, for the step-by-step instructions.

 

 

I'm not too worried about efficiency or security at this point since the setup is not for production yet. But when that time comes, we'll probably setup a symmetric route that only goes through Big IP.

 

Adding a route through Big IP would be the best. I looked into one-to-one VS's too but would probably not take that option. One to one VS's would not be scalable because it has to be configured for each internal server and it uses two IP addresses per server. I guess it's useful if you have few servers you want to reach.