Hosted environment - Multiple VLANs outbound routing

Question

Having an issue where we cannot make outbound connections from the servers behind an F5 BIG-IP LTM.  The setup is as follows: 
&nbsp;  
&nbsp;  
&nbsp; | 
&nbsp; | VLAN: 224 (10.22.4.5 / 10.22.4.4  
&nbsp; | External Port: 1.1 
&nbsp; | 
&nbsp;  
&nbsp; | 
&nbsp; | Internal POrt: 1.3 
&nbsp; | VLAN: 222 (10.22.2.5 / 10.22.2.4  
&nbsp; | 
&nbsp;  
&nbsp; | Web server 1 = 10.22.2.11 
&nbsp; | 
&nbsp;  
&nbsp; (1). I've created an inbound Virtual Server to load balance HTTP, HTTPS   
&nbsp; (2). I've created an inbound Virtual Server to access the individual servers on TCP:3899 (RDP) this works 
&nbsp; (3). I've created an outbound Wildcard Virtual Server, enabled on VLAN 222 and forward to last hop VLAN 224 to the firewall.   
&nbsp; (4). I've Allowed All on the self ips 
&nbsp;  
&nbsp; I cannot connect to the Internet outbound (for the purpose of downloading patches).  Once I've added a route, I do see outbound traffic to the internet from 10.22.2.11 but cannot return. 
&nbsp;  
&nbsp; What do I have set wrong?  Also, I expect that the web server should "nat" to a 10.22.4.xx address outbound, as the firewall is configured to allow outbound traffic from this space. 
&nbsp;  
&nbsp; Thanks for your help in advance! 
&nbsp;

jrahm · Answer

do you have snat automap or a snatpool assigned to your wildcard virtual server?  If not, your firewall is probably dropping the traffic as the source of the traffic will be the web server 10.22.2.* address.

johnczerwinski_ · Answer

I don't either one defined for the VS.  I'm basing my solution off the "LTM: Per-VLAN Default Gateway".  Would I need to do the following: 
&nbsp;  
&nbsp; SNAT Pool 10.22.4.11 (outside) / 10.22.2.11 (inside) for the specific server?

jrahm · Answer

You could create a 1:1 relationship for your servers, or you could define a snatpool that would map each server vlan to an address.  Since you have indicated hosting more than one set of servers in potentially many vlan's, I'd take the snatpool approach as you might run out of addresses in the 10.22.4/ network.  Your specific example should work fine.

johnczerwinski_ · Answer

I've got it to work now, but it caused another issue.  I have a Virtual Server 10.21.4.11 (external) pointing directly to a server on the internal network (10.21.2.11).  I set this up to access it directly with RDP.  The connection works initially, but when it times out I cannot re-establish a RDP session.  I've done a tcpdump and watch the session come in from the client but the F5 Virtual server will not respond...until I reset the virtual server configuration...(i.e. force a "enabled on" vlan change).  This seems to re-set some and it comes up again for a while. 
&nbsp;  
&nbsp; Any clue?

johnczerwinski_ · Answer

Here's a sample of the tcpdump 
&nbsp;  
&nbsp; 17:44:21.940965 10.0.0.4.1493 &gt; 10.21.4.11.3389: S 3555809265:3555809265(0) win 65535  (DF) 
&nbsp; 17:44:24.734009 10.0.0.4.1493 &gt; 10.21.4.11.3389: S 3555809265:3555809265(0) win 65535  (DF) 
&nbsp; 17:44:30.848677 10.0.0.4.1493 &gt; 10.21.4.11.3389: S 3555809265:3555809265(0) win 65535  (DF) 
&nbsp; 17:44:41.577974 10.0.0.4.1489 &gt; 10.21.4.11.3389: FP 1:29(28) ack 1 win 65535 (DF) &nbsp;

Forum Discussion

Hosted environment - Multiple VLANs outbound routing

7 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

Multi-Stores Citrix environment BIG-IP APM

iRules Development Environment

Create isolated environment for internal and external networks

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB