one-arm mode load balancing without snat?

Question

Hi,&nbsp;
 &nbsp;
I have a customer that wants to deploy one-arm mode due to high demand in management traffic of the nodes.  the nodes would have static routes to management networks and a default route to the F5 BIG-IP.&nbsp;
the nodes would still receive load balanced traffic from the internet.  which would go through the BIG-IP.  return traffic to the internet would also go through the BIG-IP because the nodes have a DG going to the BIG-IP self IP.&nbsp;
I guess a good way to describe this is a "hybrid" topology&nbsp;
one-arm mode because the virtual server is on same vlan as NODES.&nbsp;
routed mode because the nodes use the BIG-IP as the default gateway.&nbsp;
 &nbsp;
I have somewhat attempted this configuration but I see traffic is not forwarded from virtual server to the pool.  is snat required one using one VLAN for all traffic?&nbsp;

what_lies_bene1 · Answer

Yes, SNAT is required for one-arm mode. However, I'm not sure what you've described is one-armed mode. Are the Virtual Server and the connecting clients (from the Internet) all in the same VLAN/IP subnet. Are the client source IPs source NATted before they reach the VS?

nitass · Answer

I have somewhat attempted this configuration but I see traffic is not forwarded from virtual server to the pool. you should see traffic (e.g. syn) to pool even snat is not enabled. the problem will happen if client is in the same vlan/subnet as virtual server/node because return traffic will be sent directly from node to client.

symtex_22198 · Answer

the connecting clients are in remote networks they are not local. 
&nbsp;  
&nbsp; the client IPs are not source NATted before they reach the VS.   The VS will only have to send the traffic to the default gateway. 
&nbsp;  
&nbsp; nitass: 
&nbsp;  
&nbsp; I don't SYNs being forwarded to the pool which is kind of confusing.   seems to be configured correctly.  I ran it through ihealth and it looks ok.   none of the app requests are local they are from remote networks.

nitass · Answer

don't SYNs being forwarded to the pool which is kind of confusing. seems to be configured correctly. I ran it through ihealth and it looks ok. none of the app requests are local they are from remote networks.what tcpdump command did you run to verify? was it something like this? 
&nbsp;  
&nbsp;  tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y 
&nbsp; x.x.x.x is virtual server ip 
&nbsp; y.y.y.y is pool member ip

symtex_22198 · Answer

I used

tcpdump -n -i appvlan host x.x.x.x or host y.y.y.y 
even though SNAT was disabled I still should have seen the traffic to the pool member.

Forum Discussion

one-arm mode load balancing without snat?

10 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

One-Arm Mode Migration

SSL Orchestrator Advanced Use Case: One-Armed Mode

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

SNAT is not working in a one-arm configuration.

one-arm scenario, external network?