Forum Discussion

VladimirShushko's avatar
VladimirShushko
Icon for Nimbostratus rankNimbostratus
Oct 02, 2018

BIG-IP in DMZ - Reverse traffic to public subnets clarification

Hi guys,

Please help with understanding routing on BIG-IP LTM device. We are using quite old version on the box - 10.2.4. The problem we are having is related to traffic flows from border firewall which is connected to public subnet and F5 load balancer. We are experiencing connectivity problems from outside to server pool behind the load balancer after we perform switch over operation on firewall cluster from primary to secondary node. Both firewall devices are in sync so they are using the same configuration and during switchover the secondary device just taking VIPs from primary. I suspect that the issue lies on the LTM side.

What I can't understand right now is how BIG-IP is returning traffic back from the pool to the clients in the Internet if the load-balancer is in the DMZ already (it doesn't have public IPs assigned). Border firewall perform NAT translation for destination IP address leaving the clients public IPs unchanged. This changed packet is reaching LTM vServer in the VLAN20 (please take a look on the attached diagram) and based on the vServer settings traffic is directed to POOL of Web servers with source changed to self-IP of LTM (because of SNAT automap config). But the reverse path is not clear. Traffic is forwarder to LTM which in its turn will substitute original public IP address of the Internet's client. What then? Traffic will be directed based on routing table? But in that case asymmetric routing will happen because in our case default route is pointing to different VLAN.

Here is our vserver config

    ltm virtual VS_VSERVER {
  destination 10.0.20.150:https
  ip-protocol tcp
  mask 255.255.255.255
  partition APP20
  persist {
      TST_cookiePersistence {
          default yes
      }
  }
  pool POOL_WEB1
  profiles {
      TST_http_headerSource { }
      example.com {
          context clientside
      }
      tcp { }
  }
  rules {
      TST_redir
  }
  snat automap
}

Thank you very much!

application delivery
application routing
automap
BIG-IP
load balance based on snat
LTM
vserver

1 Reply

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 03, 2018

    Hi Vladimir,

     

    So to sumup, you receive a request from outside.

     

    • the client send a requestion from internet to public service.
    • Your FW nat destination to VS (Internal IP) but le your source IP unchanged.
    • F5 receive the client requestion on VS (Internal IP) then Forward the request to your pool memeber depending of your Load Balancing Method and persistance.
    • F5 snat the source IP of the cliet and use IP of degress interface (self ip if standalone or floating IP if cluster).
    • The pool memeber receive request and respond to F5 (because of snat). -The F5 make a response to the client using (Auto Last Hop), is a VS setting that set to default by default:

    When enabled, Auto Last Hop allows the BIG-IP system to send return traffic from pools to the MAC address that transmitted the request, even if the routing table points to a different network or interface. As a result, the BIG-IP system can send return traffic to clients even when there is no matching route. For example, if the BIG-IP system does not have a default route configured and the client is located on a remote network. Additionally, Auto Last Hop is useful when the BIG-IP system is load balancing transparent devices that do not modify the source IP address of the packet. Without the last hop option enabled, the BIG-IP system can return connections to a different transparent node, resulting in asymmetric routing.

     

    https://support.f5.com/csp/article/K13876

     

    SO the response from F5 go back using the right path (the response to the client uses the arrival interface).

     

    Hope it's clear, let me know if you need more details.

     

    regards