GTM private IP versus public IP in GTM DNS answers
Hello all,
I have a question regarding the behavior of the GTM in the following conditions:
- GTM must reply to DNS queries only coming from Internet, ie with public IP addresses of services hosted on the LTM (NAT done at the FW level ‘above’ the F5 infra)
- The GTM is installed in the private DMZ, thus with private IP addresses (10.x)
- The LTM are installed in the same private DMZ, using private IP addresses (10.x)
- GTM is defined as a big IP system
- LTM is defined as generic LB
- Probing from GTM to LTM is an HTTPS monitor (proven to work)
- Probing shall remain ‘internal’ (I mean not go through the FW) between the GTM and the LTM, as both are configured with only private IP and in the same VLAN.
When, on the GTM box, I configure VS (attached to the LTM server), I can define destination address and translation address.
Looking at the inline help, it sounds quite clear that the ‘destination’ of the VS should be the IP defined on the LTM (thus the private one), and the ‘translation-address’ the public IP.
bchadmin@(p02dnf01)(cfg-sync Standalone)(Active)(/Common)(tmos) modify gtm server P02LBF-Cluster virtual-servers add { vs-test { ?
Properties:
"}" Close the left brace
depends-on Specifies the names of virtual servers on which this virtual server depends.
description User defined description.
destination Specifies the IP address and port of the virtual server.
disabled Specifies that this virtual server is not available for load balancing.
enabled Specifies that this virtual server is available for load balancing.
explicit-link-name Specifies the specific link name that you want to associate with this virtual server.
limit-max-bps Specifies the maximum allowable data throughput rate, in bits per second, for this virtual server. If the network traffic volume
exceeds this value, the system marks the virtual server as unavailable.
limit-max-bps-status Enables or disables the limit-max-bps option for this virtual server. The default value is disabled.
limit-max-connections Specifies the number of current connections allowed for this virtual server. If the current connections exceed this value, the
system marks this virtual server as unavailable.
limit-max-connections-status Enables or disables the limit-max-connection option for this virtual server. The default value is disabled.
limit-max-pps Specifies the maximum allowable data transfer rate, in packets per second, for this virtual server. If the network traffic
volume exceeds this value, the system marks this virtual server as unavailable.
limit-max-pps-status Enables or disables the limit-max-pps option for this virtual server. The default value is disabled.
ltm-name Name of virtual server on LTM.
monitor Enables or disables the monitor assigned to this virtual server.
translation-address Specifies the public address that this virtual server translates into when GTM communicates between the network and the
Internet. The default value is disabled.
translation-port Specifies the translation port number or service name for the virtual server, if necessary.
(Looking at the same inline help in the GUI, the explanation is less explicit)
Address
Displays the IP Address of the virtual server.
Translation
Specifies the translation IP address for the virtual server, if necessary.
However, if I ‘follow’ this setup and perform a DNS test from Internet, the GTM replies with the private IP and not the public one (test domain securetest.a.com, see at the end)
- First question is: is it as expected ? Reading articles on devcentral, it shouldn’t ?
Contrary, if I specify the public IP as ‘destination’ and the private as ‘translation’, the GTM replies with the correct IP (test domain securetest.b.com, see at the end)
But the GTM then probes the public IP and not the private one. This could work but is not really what we want, ie. The GTM to probe the LTM on its internal IP.
- I wonder thus if there is a way to enforce the GTM to probe the ‘translation-address’ (ie. The private IP) instead of the ‘destination’ (ie. The public one) ?
> server 42.42.42.42 (GTM)
Default Server: [42.42.42.42]
Address: 42.42.42.42
> securetest.a.com (VS configured with private IP as destination and public as translation)
Server: [42.42.42.42]
Address: 42.42.42.42
Name: securetest.a.com
Address: 10.1.44.60
> securetest.b.com (VS configured with public IP as destination and private as translation)
Server: [42.42.42.42]
Address: 42.42.42.42
Name: securetest.b.com
Address: 20.30.40.50
>
Thanks a lot !