Design / Traffic Flow Question

Question

Hi,We have an Internal LTM which has a virtual server for a proxy server.&nbsp;The Virtual server is 10.20.20.100 and it has a pool member which it forwards traffic to on 10.20.30.70.&nbsp;&nbsp;&nbsp;The LTM source NATs traffic when it forwards it to the pool member.&nbsp;&nbsp;&nbsp;The issue is that the proxy (10.20.30.70) is then configured to forward traffic to another LTM in our DMZ - 10.100.152.100.  So when it does this it sends its traffic to its default gateway to reach the destination of 10.100.152.100.&nbsp;&nbsp;&nbsp;So basically the Internal LTM forwards traffic to the proxy, but the return traffic does not flow back through the LTM because the proxy uses its default gateway (which is not the LTM) to reach the DMZ LTM.&nbsp;&nbsp;&nbsp;So my question is, should we be configuring the proxy to use the Internal LTM as its default gateway to make sure all return traffic flows back through the LTM?&nbsp;&nbsp;&nbsp;Or perhaps we could configured another VIP on the internal LTM (in the same subnet as the proxy) with the DMZ LTM as a pool member and configure the proxies to send traffic to that, instead of directly to the 10.100.152.100 address.&nbsp;&nbsp;&nbsp;Or is it OK for return traffic to bypass the internal LTM?&nbsp;

hamish · Answer

Ah... You either need to have the proxy use the LTM that's LB'ing it as the default gateway OR use SNAT on that VS... (Ignoring n-path) 
&nbsp;  
&nbsp; Which is better? Well... I dislike SNAT. But mainly for debugging reasons. Sometimes you have no choice. But I try to plan for never needing it. 
&nbsp;  
&nbsp; H

luca_55898 · Answer

We do use SNAT - this NATs the source to the egress interface on the LTM.

The issue is that when the proxy gets the traffic it will forward to a new destination IP.

So even though the LTM SNATs using its floating IP, the Proxy forwards to a new IP, outside of the subnet and hence bypasses the LTM due to the default gateway not being the LTM.

If the proxies use the LTM as their default gateway the LTM would need to have some more routing smarts that is currently configured on our one.

hooleylist · Answer

The issue is that when the proxy gets the traffic it will forward to a new destination IP. 
&nbsp;  
&nbsp; But the source IP should either be the proxy if it does source address translation or the LTM SNAT IP.  Either way, shouldn't LTM get the response?  Is it possible that the reply does come back to LTM, but on a different VLAN or something like that? 
&nbsp;  
&nbsp; Aaron

luca_55898 · Answer

Yes, when traffic gets to the proxy the source IP will be the LTM.  I can confirm this with TCP Dumps 
&nbsp; However, from my firewall logs i see that when traffic is forwarded to the DMZ LTM - (10.100.152.100) the source IP is that of the Proxy.  I would of thought that the source IP would be the F5.  
&nbsp;  &nbsp;

hooleylist · Answer

So shouldn't the server respond back to the Proxy and the Proxy reply back to LTM? 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Design / Traffic Flow Question

7 Replies

Recent Discussions

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Related Content

DNS/iQuery Question - Design Consideration

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1

Decision box design using js