Forum Discussion

f5rocks_86658's avatar
f5rocks_86658
Icon for Nimbostratus rankNimbostratus
Nov 01, 2017

Forwarding VIP question

I have a standard VIP for ftp application and pool members of it in route domain 1. Till today, SNAT was enabled. but requirement came to disable SNAT to see an original client IP. We will get default gateway of pool member changed to F5 floating IP and will create forwarding VIP on F5.

 

Question is do we need to create forwarding VIP in route domain 1? do we need to enable SNAT for forwarding VIP? We have default route for route domain 1. which route it will take for forwarding VIP destined traffic?

 

application delivery
LTM

6 Replies

Sort By
  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Nov 01, 2017

    Also if I want to use next hop for forwarding vs traffic same as earlier gateway of pool member, can old server gateway be configured as pool member and used in iRule for forwarding traffic? If yes, does that also needs to reside in route domain 1?

     

  • Jeff_Maddox_394's avatar
    Jeff_Maddox_394
    Historic F5 Account
    Nov 02, 2017

    There may be some missing information but, you only need a forwarding VIP if you want to forward server initiated traffic outbound. If you disable SNAT, and change the default gateway to point at the F5 self ip on that route domain, your virtual server will work.

     

  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Nov 02, 2017

    Thanks Jeff for the response. But I just checked there is not default route rather route created for route domain 1 is wrong, so wondering how routing will take place?

     

  • Jeff_Maddox_394's avatar
    Jeff_Maddox_394
    Historic F5 Account
    Nov 02, 2017

    I think there is some missing information. There is no default route on the F5? If not, how is it routing traffic back to clients currently? I am under the assumption, based on the question, that the only thing changing is that SNAT is being removed. If that is the case, then serves pointing at the f5 floating ip as their default route will suffice. But it sounds like I am missing some of the configuration and architecture details.

     

  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Nov 03, 2017

    Thanks. Routing traffic back to client is taken care by auto last hop feature. I would create the default route to take care of routing. But original question is VIP and pool member (of which DG we are changing to F5 floating IP) are in route domain 1. So do we need to create forwarding VIP in RD-1 as well?

     

  • Jeff_Maddox_394's avatar
    Jeff_Maddox_394
    Historic F5 Account
    Nov 11, 2017

    Apologies for the delay, I did not get an update notice for the comment. I also missed the part about this being FTP. For active mode FTP, a forwarding wildcard virtual will be needed, just restrict the source to your ftp servers. You would need to SNAT from the original ftp virtual address so that the client recognizes the connection. Since in active mode, the data connection is outbound initiated, you would need a default route. auto last hop would not work. If active mode is being used currently, I am not sure how it is working now without the forwarding vip. This would be in route domain 1 since that is where your servers are.

     

    for passive mode, the ftp profile should be all you need, no forwarding virtual needed.