Forum Discussion

Tom_De_Boeser_1's avatar
Tom_De_Boeser_1
Icon for Nimbostratus rankNimbostratus
Jun 24, 2014

Per-VLAN default gateway ( or, allowing access for hosts behind the LTM )

So I'm looking a way ( Per-VLAN default GW or otherwise ), to allow hosts behind a LTM, with multiple VLANs, to have internet access for updates, etc.

 

I found this article, and this video, and thought it fits my needs just about perfectly.

 

Well, I've been through a few iterations of the config and I can't get it to work. So this is what I have (i'm trying to get on VLAN/side working before moving on to configuring the other VLANS):

 

LTM 5000s (two in active/active HA) BIG-IP 11.4.1 Build 637.0 Hotfix HF3 2 Windows 2008r2 on HP DL380 with 2 intel xenons and gobs of memory running a tomcat powered application.

 

  • Servers are on VLAN-A in subnet 10.31.57.x (57.103, 57.104) with the default gateway being the floating self-IP of the F5 (59.202).
  • VLAN-X is a routable network address xxx.xxx.217.xxx, self-IP is 217.181, the GW is 217.129
  • Created a wildcard VS on VLAN-A with 217.129 GW as a pool member.
  • enabled SNAT using 217.172
  • Created forwarding VS on VLAN-X to allow traffic back to the 10.31.57 subnet

tcpdumps on the VLAN-a reveal that the 57.103 attemps to goto yahoo.com, and tcpdumps on VLAN-X show the SNAT going to and from the 217.172 address. Automap gives the same results.

 

(snippets are not in sync)

 

08:27:36.005258 IP 98.139.183.24.http > 10.31.57.103.50587: R 0:0(0) ack 1 win 8 192 out slot1/tmm7 lis=/Common/forwarding_vs flowtype=65 flowid=570661B61B00 pee rid=570661B60B00 conflags=400CA4 inslot=3 inport=32 haunit=1 peerremote=00000000 :00000000:0000FFFF:628BB718 peerlocal=00000000:00000000:0000FFFF:97BCD9B5 remote port=80 localport=50587 proto=6 vlan=4090 08:27:36.005884 IP 10.31.57.103.50588 > 98.139.180.149.http: S 1984152259:198415 2259(0) win 8192 in slot1/tmm2 lis= flowt ype=0 flowid=0 peerid=0 conflags=0 inslot=3 inport=32 haunit=0 peerremote=000000 00:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remo teport=0 localport=0 proto=0 vlan=0

 

08:31:24.393004 IP 98.139.180.149.http > 151.188.217.172.50603: R 0:0(0) ack 1 w in 8192 in slot1/tmm5 lis=/Common/forwarding_vs flowtype=129 flowid=570496B60F00 peerid=570496B60500 conflags=4002A4 inslot=3 inport=32 haunit=0 peerremote=0000 0000:00000000:0000FFFF:0A1F3967 peerlocal=00000000:00000000:0000FFFF:628BB495 re moteport=50603 localport=80 proto=6 vlan=4089 08:31:24.907433 IP 151.188.217.172.50603 > 98.139.180.149.http: S 160770431:1607 70431(0) win 8192 out slot1/tmm5 lis=/Common/forwardin g_vs flowtype=129 flowid=570496B60F00 peerid=570496B60500 conflags=4002A4 inslot =3 inport=32 haunit=1 peerremote=00000000:00000000:0000FFFF:0A1F3967 peerlocal=0 0000000:00000000:0000FFFF:628BB495 remoteport=50603 localport=80 proto=6 vlan=40 89 08:31:24.907536 IP 98.139.180.149.http > 151.188.217.172.50603: R 0:0(0) ack 1 w in 8192 in slot1/tmm5 lis=/Common/forwarding_vs flowtype=129 flowid=570496B60F00 peerid=570496B60500 conflags=4002A4 inslot=3 inport=32 haunit=0 peerremote=0000 0000:00000000:0000FFFF:0A1F3967 peerlocal=00000000:00000000:0000FFFF:628BB495 re moteport=50603 localport=80 proto=6 vlan=4089 08:31:25.697439 802.1d unknown version

 

Note: load balancing involving these systems works.

 

I know I didn't give actual configs, I can give more detail, but I thought this it would be a good start.

 

Again, I really just need the hosts behind the F5 to have internet access for web and windows updates.

 

Thanks

 

deployment
management
routing

5 Replies

Sort By
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Jun 24, 2014

    Dont really understand what you are doing here. The default gateway on the F5 should be pointing to the Internet. Define a 0.0.0.0 vs on all ports, disabled on the internet facing vlan with snat automap. Every single internal VLAN should now have access to the Internet if their default gateway points to the F5 floating IP address in their VLAN. Traffic will traverse the F5 and follow the default route.

     

  • afedden_1985's avatar
    afedden_1985
    Icon for Cirrus rankCirrus
    Jun 24, 2014

    Did yo build a forward virtual for tcp and udp if needed? For the servers to open internet connections you need a Forward Virtual server listening on the server Vlan for any port/any address, to allow the servers requests to be sent out to the F5's default gateway. The F5 default gateway should be a router and the router should know how to get to the internet. The Internet response should take the same path back to the server using the network routing as long as the routers have a route to the server vlan by way of the self IP on the F5 where the F5s default gateway lives. so the response returns on the same vlan it egressed the F5.

     

  • Tom_De_Boeser_1's avatar
    Tom_De_Boeser_1
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2014

    The Usual forwarding VS didn't work (initially or now), checking with tcpdump gives me the same/similar result. Everything looks to be working, requests go out, responses come back - just not to the host.

     

    This is why I was looking into the "Per-VLAN default gateway", thinking maybe separating the VLANs with their own gateways would allow this to work.

     

    So in both cases I have a conversations but no results at the host.

     

  • afedden_1985's avatar
    afedden_1985
    Icon for Cirrus rankCirrus
    Jun 25, 2014

    are you using a Virtual type of Forwarding IP or Standard? we use Standard and associate a Pool with it that has the firewall. the Firewall provides the access to the internet.

     

  • Tom_De_Boeser_1's avatar
    Tom_De_Boeser_1
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2014

    Arg!

     

    I've been working with our router guys. They tell me outgoing connections should have access. But I put a server directly on the outside VLAN borrowing a VS IP and got "connection refused" immediately.

     

    Thanks for the help...