Forum Discussion

JeremySch_31598's avatar
JeremySch_31598
Icon for Nimbostratus rankNimbostratus
Aug 07, 2017

Router Traffic from all vlans to a proxy that is one of the vlans off of the BIP IP appliance

I have a Big IP Appliance and have several vlans configured each with their own subnet and the BIG IP is the gateway for each of these vlans and their corresponding subnets.

 

VLAN 10 - Appliance VLAN (10.10.0.0/24) VLAN 20 - DB VLAN (10.20.0.0/24) VLAN 30 - Utility VLAN (10.30.0.0/24)

 

All of the southbound interfaces are trunked and have vlans on them.

 

I have IP Forwarding rules that allow traffic from the vlans out to the internet. I have a new requirement that I'm trying to figure out how to implement. All of the Appliances and Databases in vlan 10 and 20 need to go out through a proxy that lives in vlan 30.

 

Example:

 

Traffic from 10.10.0.2 must go through proxy server 10.30.0.100 in order to get out to the Internet.

 

I'm trying to determine the best way to do this?

 

Any help, direction or advice would be great.

 

application delivery
BIG-IP
LTM
security

3 Replies

Sort By
  • JeremySch_31598's avatar
    JeremySch_31598
    Icon for Nimbostratus rankNimbostratus
    Aug 07, 2017

    Yes it is a proxy for http/https only. All other traffic will not be allowed to the Internet (North of the F5's) except for other servers in vlan 30. Servers in VLAN 30 are allowed out to more than just port 80 and 443.

     

    The application servers (vlan 10) however still need to be able to talk to the database servers (vlan 20) on ports other than 80 and 443.

     

    I think this should work if I create a virtual server with 0.0.0.0/0 destined to 0.0.0.0/0 port 80 and a duplicate virtual server with destination port 443. Then have the virtual servers listen on the vlan 10 and vlan 20 interfaces with a pool that is only the proxy server.

     

    There would also be a ip fwd virtual server for allowing access to the database servers from vlan 10 subnets to the database server IPs. Since this would be more specific it should I believe take precedence over the proxy rules I create.

     

    Does this sound like a valid solution?

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 07, 2017

    for explicit proxy you could create a virtual server on a random IP and port (usually 8080) and have it listen on vlan 10 / vlan 20 with a pool to the proxy server(s). configure that IP address / port on the servers in vlan 10 / vlan 20 and you should be ok.

     

    if you doing transparent proxy, so not configuring a proxy on the server, then your suggested method should work.