Default gateway other than F5

Question

With SNAT AutoMap disabled and using route domains, is it possible to have a default gateway on common load balanced servers/nodes behind the F5 as something other than that of the F5 floating IP address -? The DG is a HSRP address from the router.&nbsp;
Is anyone able to also give me a better understanding of the traffic flows to understand how this solution would work?&nbsp;
Here’s an example:&nbsp;
                       ===internet===                                                ===private network===&nbsp;
                    =Firewall with NAT=                               =Firewall with 1:1 NAT Cust:Internal =&nbsp;
                                     |                                                                               |&nbsp;
                               VLAN 10                                                                 VLAN 20&nbsp;
                                     |                                                                                |&nbsp;
    ------------ F5 LTM Partition 1-------------------                   -------- F5 LTM Partition 2---------------------------&nbsp;
    - VS 192.168.10.1%1                                   -                    - VS 192.168.20.1%2                                       -&nbsp;
    - Self/Outside A 192.168.10.11%1            -                     - Self/Outside A 192.168.20.11%2                -&nbsp;
    - Self/Outside B 192.168.10.12%1           -                     - Self/Outside B 192.168.20.12%2                -&nbsp;
    - Floating/Outside 1 192.168.10.10%1    -                     - Floating/Outside 2 192.168.20.10%2        -&nbsp;
    - node 1 192.168.30.50%1                         -                     - node 1 192.168.30.50%2                             -&nbsp;
    - node 2 192.168.30.51%1                         -                     - node 2 192.168.30.51%2                             -&nbsp;
    - Self/Inside 1 192.168.30.10%1/MAC A  -                     - Self/Inside 3 192.168.30.13%2/MAC D      -&nbsp;
    - Self/Inside 2 192.168.30.11%1/MAC B  -                     - Self/Inside 4 192.168.30.14%2/MAC E       -&nbsp;
    - Floating/Inside 1 192.168.10.12%1/MAC C -              - Floating/Inside 2 192.168.30.15%2/MAC F -&nbsp;
   --------------------------------------------------------------              --------------------------------------------------------------&nbsp;
                                                         |                                                                 |&nbsp;
                                                         ---------------------------------------------------&nbsp;
                                                                                        |&nbsp;
                                                                                VLAN 30&nbsp;
                                                                                        |&nbsp;
                       ==Server 1 (192.168.30.50)==             ==Server 2 (192.168.30.51)==&nbsp;
                            ==DG 192.168.30.254==                     ==DG 192.168.30.254==&nbsp;
                                                   |                                                              |&nbsp;
                                                  ---------------------------------------------------&nbsp;
                                                             HSRP 192.168.30.254&nbsp;
 &nbsp;
Routes:&nbsp;
Anything to ‘private network’ route via 192.168.30.15&nbsp;
Anything to ‘internet network’ route via 192.168.30.12&nbsp;
 &nbsp;
This example may somewhat defeat the purpose of route domains, but we are using them in this particular solution for customers in a multi tenanted environment accessing services from two unique paths, which we are trying to secure as an audit requirement (separation of internet and private traffic).&nbsp;

what_lies_bene1 · Answer

I assume this should be - Floating/Inside 1 192.168.30.12%1/MAC C. 
&nbsp;  
&nbsp; Anyway, can you not just use static routes on the servers for each address range (internet and private) and point those at the relevant floating IP?

will_f_98397 · Answer

Yeah sorry, that is a typo. 
&nbsp;  
&nbsp; Wanted to avoid static routes on the servers.

what_lies_bene1 · Answer

Well the only way I can see you doing that is by routing to the F5 via .254 it's not optimal but...

will_f_98397 · Answer

If I put the common components into its own routing domain (dropping it down to only one set of inside addresses), set the DG on the servers to that floating and maybe disabled strict isolation on that new rd, what would be the behaviour then? Would the LTM route correctly?

what_lies_bene1 · Answer

I thought you didn't want the F5s as the default gateway?

Forum Discussion

Default gateway other than F5

8 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

LTM: Per-VLAN Default Gateways

SSL-VPN - Route all traffic NOT via the default gateway but via the CUSTOM gateway

Using BIG-IP Kubernetes Gateway API Controller

Get Started With Kubernetes SIG Gateway API