Forum Discussion

Benoit_C_'s avatar
Benoit_C_
Jun 07, 2013

GTM private IP versus public IP in GTM DNS answers

Hello all,

 

 

I have a question regarding the behavior of the GTM in the following conditions:

 

 

  • GTM must reply to DNS queries only coming from Internet, ie with public IP addresses of services hosted on the LTM (NAT done at the FW level ‘above’ the F5 infra)
  • The GTM is installed in the private DMZ, thus with private IP addresses (10.x)
  • The LTM are installed in the same private DMZ, using private IP addresses (10.x)
  • GTM is defined as a big IP system
  • LTM is defined as generic LB
  • Probing from GTM to LTM is an HTTPS monitor (proven to work)
  • Probing shall remain ‘internal’ (I mean not go through the FW) between the GTM and the LTM, as both are configured with only private IP and in the same VLAN.

 

When, on the GTM box, I configure VS (attached to the LTM server), I can define destination address and translation address.

 

 

Looking at the inline help, it sounds quite clear that the ‘destination’ of the VS should be the IP defined on the LTM (thus the private one), and the ‘translation-address’ the public IP.

 

 

bchadmin@(p02dnf01)(cfg-sync Standalone)(Active)(/Common)(tmos) modify gtm server P02LBF-Cluster virtual-servers add { vs-test { ?

 

Properties:

 

"}" Close the left brace

 

depends-on Specifies the names of virtual servers on which this virtual server depends.

 

description User defined description.

 

destination Specifies the IP address and port of the virtual server.

 

disabled Specifies that this virtual server is not available for load balancing.

 

enabled Specifies that this virtual server is available for load balancing.

 

explicit-link-name Specifies the specific link name that you want to associate with this virtual server.

 

limit-max-bps Specifies the maximum allowable data throughput rate, in bits per second, for this virtual server. If the network traffic volume

 

exceeds this value, the system marks the virtual server as unavailable.

 

limit-max-bps-status Enables or disables the limit-max-bps option for this virtual server. The default value is disabled.

 

limit-max-connections Specifies the number of current connections allowed for this virtual server. If the current connections exceed this value, the

 

system marks this virtual server as unavailable.

 

limit-max-connections-status Enables or disables the limit-max-connection option for this virtual server. The default value is disabled.

 

limit-max-pps Specifies the maximum allowable data transfer rate, in packets per second, for this virtual server. If the network traffic

 

volume exceeds this value, the system marks this virtual server as unavailable.

 

limit-max-pps-status Enables or disables the limit-max-pps option for this virtual server. The default value is disabled.

 

ltm-name Name of virtual server on LTM.

 

monitor Enables or disables the monitor assigned to this virtual server.

 

translation-address Specifies the public address that this virtual server translates into when GTM communicates between the network and the

 

Internet. The default value is disabled.

 

translation-port Specifies the translation port number or service name for the virtual server, if necessary.

 

 

 

(Looking at the same inline help in the GUI, the explanation is less explicit)

 

Address

Displays the IP Address of the virtual server.

 

Translation

Specifies the translation IP address for the virtual server, if necessary.

 

 

 

However, if I ‘follow’ this setup and perform a DNS test from Internet, the GTM replies with the private IP and not the public one (test domain securetest.a.com, see at the end)

 

 

  • First question is: is it as expected ? Reading articles on devcentral, it shouldn’t ?

 

 

Contrary, if I specify the public IP as ‘destination’ and the private as ‘translation’, the GTM replies with the correct IP (test domain securetest.b.com, see at the end)

 

But the GTM then probes the public IP and not the private one. This could work but is not really what we want, ie. The GTM to probe the LTM on its internal IP.

 

 

  • I wonder thus if there is a way to enforce the GTM to probe the ‘translation-address’ (ie. The private IP) instead of the ‘destination’ (ie. The public one) ?

 

> server 42.42.42.42 (GTM)

 

Default Server: [42.42.42.42]

 

Address: 42.42.42.42

 

> securetest.a.com (VS configured with private IP as destination and public as translation)

 

Server: [42.42.42.42]

 

Address: 42.42.42.42

 

Name: securetest.a.com

 

Address: 10.1.44.60

 

> securetest.b.com (VS configured with public IP as destination and private as translation)

 

Server: [42.42.42.42]

 

Address: 42.42.42.42

 

Name: securetest.b.com

 

Address: 20.30.40.50

 

>

 

 

Thanks a lot !

 

config
design

11 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jun 07, 2013
    The translation address is NOT actually for the GTM to resolve addresses to. Confusing I know, it took me a while to get my head around that as the terminology is subject t some interpretation. It's actually the IP address the GTM will 'see' the remote VS as when/if it's NAT'ed between the GTM and the LTM. (Thus I never use it as my GTM's and LTM's are all within the private network).

     

     

    If you wish to take the VS RFC private IP and have GTM resolve it instead as a translated address, you'll have to use an iRule.

     

     

    BTW. Why have you defined the LTM as a generic LB? It's much better as a BigIP using BigIP monitoring. (The LTM then feeds the status and load of all the VS's back to the GTM via big3d daemon).

     

     

    H
  • Benoit_C_'s avatar
    Benoit_C_
    Jun 07, 2013
    Hello Hamish,

     

     

    OK thanks for the clarification. I will look then at writing an irule as much global as possible, trying to avoid to create one per VS (I have around 100 VS configured).

     

    The fact is that per WIP, I have 4 pools configured in Global Availability with manual resume, thus I must make sure to return the 'up to date' value and not something static.

     

    But not sure I will be able to make it a global rule.

     

     

    And at the same time, discuss with the management to explain that probing the local VIP requires to use the external IP (the FW is the GW, it is only one hop more, we do not really go on Internet), if we do not want to use an Irule.

     

     

     

    I see two ways:

     

     

    - DNS request level: check if poolA is up, if yes provide an IP, else check if pool B is up and so on down to pool D

     

    when DNS_REQUEST {

     

    if { [DNS::rrname] eq "secure.a.com" } {

     

    pseudo code

     

    if GTM::poolA is up then host a.a.a.a else if GTM::poolB is up then host b.b.b.b else if GTM::poolC is up then host c.c.c.c else if GTM::poolD is up then host d.d.d.d

     

    }

     

    }

     

     

    - DNS answer: Based on the private IP contained in the answer (pseudo code again)

     

    when DNS_RESPONSE{

     

    set new_host [host]

     

    switch -glob [new_host] {

     

    "10.0.0.a" {set host "a.a.a.a"}

     

    "10.0.0.b" {set host "b.b.b.b"}

     

    "10.0.0.c" {set host "c.c.c.c"}

     

    "10.0.0.d" {set host "d.d.d.d"}

     

    DNS::return

     

    }

     

     

    Do you think it could work ?

     

     

     

    To answer to your question about Iquery: this is a wish of the management to not rely on a proprietary protocol for the GTM to get status of VS. that"s why I use HTTPS.

     

    Meaning that we could replace GTM by any other DNS/GSLB server, and the LTM by any other LB.

     

     

    If I declare the LTM as 'BigIP' instead of of 'Generic', even if I remove bigip from the list of monitors, the GTM will try to probe the port 4353. As a results, all VS go down. I have a case opened with F5 for this, because I'm also hitting SOL13865 (and upgrade to 11.2.1 HFA6 did not solve it).

     

     

    thanks and have a nice w-e

     

     

    --

     

    Benoit
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jun 07, 2013
    There's an iRule in the codeshare that I wrote to do this. It handles multiple NAT's (i.e. Same service via 2 different FW's with different NAT's on them) if you can identify the LDNS reliably.

     

     

    H
  • Chad_83686's avatar
    Chad_83686
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2013

    Hi,

     

    I am trying to do this as well.. Basically, I like the approach of Benoit...

     

    when DNS_RESPONSE{ set new_host [host] switch -glob [new_host] { "10.0.0.a" {set host "a.a.a.a"} "10.0.0.b" {set host "b.b.b.b"} "10.0.0.c" {set host "c.c.c.c"} "10.0.0.d" {set host "d.d.d.d"} DNS::return }

     

    however, I am not sure how to fully translate this to irules... I am going to attempt to do it, but if anyone on this thread already did it, can you please share the working irule?

     

    thanks ...

     

  • Chad_83686's avatar
    Chad_83686
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2013

    Thank you. Trying to figure out how to identify the classes... and clear errors when I add to an irule...

     

    Thansk for the reply.

     

    • Chad_83686's avatar
      Chad_83686
      Icon for Nimbostratus rankNimbostratus
      Oct 01, 2013
      My GTM is not liking any of the commands! timing on, DNS_RESPONSE! I am on 11.2.1 so not that old! I must be missing something basic... [unknown event (DNS_RESPONSE)] [when DNS_RESPONSE {}]
    • Chad_83686's avatar
      Chad_83686
      Icon for Nimbostratus rankNimbostratus
      Oct 01, 2013
      I think I know what I was doing wrong, I was trying this at the GTM irules under WIP. The note says: Note that although developed for GTM, this is an LTM iRule and is attached to the LTM VS that is created by the GTM when you configure a listener address I have the LTM VS auto discovered from an LTM, so I really am not sure what is meant by "created by the GTM when you configure a listener address". Should I just add this rule to the LTM box? If any body can help me with how to set this up, please help.. I have a GTM box and an LTM box. the GTM has a WIP with a pool poiting to a VS that is auto discovered from the LTM. I am officially stuck now :) Thanks.
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Feb 20, 2015

    Just some questions more about this topic;

     

    What in case if you want to resolve a host A record(wide IP) to two different public IP addresses for inbound load balancing purposes across a high available internet connection in one datacenter that contains diferent unique public IP addresses?

     

    You will have the internal private IP address configured as a virtual server in the DMZ, if I am correct using the Irule https://devcentral.f5.com/wiki/iRules.GTM-Translation.ashx you can only resolve to one public IP address instead of the private one to make it work? Is is possible to return more public IP addresses for inbound load balancing using two internet connections?

     

    What will happen if one internet link fails how does the Irule script know which public IP to return that is available(not down)?

     

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Feb 16, 2016

    No Irule needed at all for this behavior.

     

    Destination address (public IP) and translation address (private IP). Autodiscovery will not work only manual creation. Just implemented the solution and works like a charm (11.5.3 HF2)

     

    Probing the private IP using bigip monitor that will sense all changes in LTM and will reflect in GTM. Also you can assign a GTM link to the underlying GTM servers (LTM VS) so that in case the link goes down also the associated Big IP virtual servers go down that will prevent from faulty DNS resolving.

     

    https://support.f5.com/kb/en-us/solutions/public/13000/800/sol13827.html

     

    You need to open the Iquery port 4353 for big3d monitoring to work on the self IP's, if you have problems with status updates using Iquery use iqdump on the command line with the server IP address (Self IP) of the neigboring LTM.

     

    If you want to resolve differently based on the clients IP address, for example coming from the internet or from the local network use topology records. I created two topology records to prevent internal IP addresses to be resolvable from the internet (because it is used internally only).

     

    Region private IP addresss Region the internet

     

    Topology records Region Internet ==> Region Internet Region Internal ==> Region Internal

     

    Create a wide IP for example www.f5.com with one pool. Within the pool select topology as the load balancing algorithm and as alternative use fallback and define a fallback IP, just to prevent the GTM to supply internal IP information to the internet. Within the GTM pool use to GTM virtual servers one with the private IP as the destination address and the other with the public IP destination address. The translated address will be the same. This way GTM will answer based on the location with the right IP, just like split DNS would do, just like that!!

     

    No Irules no scripting just making use of the nice features GTM offers!! Cheers Marvin