Forum Discussion

ecce_297791's avatar
ecce_297791
Icon for Altocumulus rankAltocumulus
Dec 04, 2017

Multiple wildcard listners on different interfaces

Hello,

Is it allowed to have two (or more) ip-forward virtual servers listening on any source, any dst and any port - but bound to different VLANs?

The reason I ask is because in a tcpdump I sometimes see traffic like this (and I may interpret this the wrong way):

root@(bigip01)(cfg-sync In Sync)(Eval:Active)(/Common)(tmos) tcpdump -nni 0.0 'src 10.3.120.5 and dst 10.2.120.31 and tcp port 135'
14:01:13.783574 IP 10.3.120.5.54673 > 10.2.120.31.135: Flags [.], ack 229, win 255, length 0 in slot1/tmm3 lis=/partition.inside/vs.CLIENTS
14:01:13.783594 IP 10.3.120.5.54673 > 10.2.120.31.135: Flags [.], ack 229, win 255, length 0 out slot1/tmm3 lis=/partition.inside/vs.CLIENTS
14:01:23.625743 IP 10.3.120.5.135 > 10.2.120.31.54616: Flags [.], ack 318, win 256, length 0 in slot1/tmm2 lis=/partition.inside/vs.SERVERS
14:01:23.625754 IP 10.3.120.5.135 > 10.2.120.31.54616: Flags [.], ack 318, win 256, length 0 out slot1/tmm2 lis=/partition.inside/vs.SERVERS
`

Two weird things here:

  • traffic seems to be going in and out on the same interface (like the first two rows above)? Or do I interpret this output wrong?

  • How come traffic from 10.3/16 matches the vs.SERVERS virtual server (10.3/16 is clients). All four rows above should be routed the same way, they should match the same VS??

    Here is the configuraion of the two VS:

    `ltm virtual /partition.inside/vs.SERVERS {
        destination /partition.inside/0.0.0.0%1:any
        fw-enforced-policy /partition.inside/fwpolicy.SERVERS
        ip-forward
        mask any
        partition partition.inside
        profiles {
            fastL4 { }
        }
        source 0.0.0.0%1/0
        translate-address disabled
        translate-port disabled
        vlans {
            VRF-SERVERS.vlan
        }
        vlans-enabled
        vs-index 9
    }
    ltm virtual /partition.inside/vs.CLIENTS {
        destination /partition.inside/10.2.0.0%1:any
        fw-enforced-policy /partition.inside/fwpolicy.CLIENTS
        ip-forward
        mask 255.255.0.0
        partition partition.inside
        profiles {
            fastL4 { }
        }
        source 0.0.0.0%1/0
        translate-address disabled
        translate-port disabled
        vlans {
            VRF-CLIENTS.vlan
        }
        vlans-enabled
        vs-index 7
    }
    

Thanks.

1 Reply

  • Firstly, the first 2 packets belong to one TCP connection and the last 2 to another TCP connection. Because the ports are different.

    Change your filter to:

    tcpdump -nni 0.0 'host 10.3.120.5 and host 10.2.120.31 and tcp port 135'

    You will get all traffic.

    So, yes you can have multiple forward virtual servers. For virtual servers, the VLAN enabled should be where the traffic arrives. The return traffic is allowed back. The problem is that in your example, the other packet comes in a new TCP connection, so is handled by the other virtual server that is enabled in that VLAN.

    Also, is normal to see 2 packets, because of the forward virtual server. TCP handshake is between endpoints, one packet is in and one is out.

    I guess you just did not capture the return traffic, or web server is not routing correctly.

    See this solution for more information:

    https://support.f5.com/csp/article/K8082