NimbostratusHi guys
I am wondering if there is any way to define a tunnel default gateway (like with Cisco ASA)? I like to force all VPN traffic from the F5 down to a firewall on the same subnet as the VPN pool. I want this so that I can control access on my firewall, where all other access is controlled as well.
Thanks!
/David
NimbostratusHi,
In APM you there isn't any routing configuration.
It's linked to your general configuration.
So if you want to go through your firewall for every requests, you have to define a default route in "Network -> Route"
NimbostratusHi Thomas
Thanks - just what I suspected and what the current solution is. Unfortunately this only works for destinations that is not in the routing table, while directly connected interfaces will mess up the traffic pattern.
Could route domains be used to provide the users with a "clean" routing table?
/David
NimbostratusHi,
What you can do is to define your Self-IP in another subnet than the one used by your servers.
Even if you use route domain, it won't change anything because route domain is here to isolate different virtual servers for example. You can have different default route on different route domains, but your problem is still the subnet.
Another option is to configure a layer 4 virtual with a pool as the gateway next hop (example below):
ltm virtual v4_nexthop { destination 0.0.0.0:any mask any pool 192.168.0.1 profiles { fastL4 { } } source 192.168.0.128/28 translate-address disabled translate-port disabled vs-index 7 }
ltm pool 192.168.0.1 { members { 192.168.0.1:telnet { address 192.168.0.1 session monitor-enabled state up } } monitor gateway_icmp }
Alternatively, you can use just a layer 3 forwarding VIP and add the following iRule:
ltm rule v4_next_hop { when CLIENT_ACCEPTED { nexthop internal 192.168.0.1 log local0. "[IP::remote_addr]:[TCP::remote_port] > [IP::local_addr]:[TCP::local_port]" } }
Either works fine for sending traffic to a gateway other than what is configured in the TMOS routing table.
