Forum Discussion

ZANOOB's avatar
ZANOOB
Icon for Cirrus rankCirrus
Aug 07, 2023

Not using SNAT , for VPN clients , F5 not using Floating IP of virtual server.

Hello All,

I have configured F5 to as our client VPN gateway.

I am not using SNAT since, i have created a virtual server to use the default gateway to our firewall, where it controls access of the VPN clients (if i use SNAT, clients are able to access all servers that are behind the self IPs).

VPN clients should not have direct access to the backend servers, it requires to go via our firewall hence SNAT is disabled and the default gateway is configured (support KB K18487629: How to route Network Access traffic to specific gateway). 

However, F5 is still sending out traffic via the local self IP and not the floating IP, the return route for the VPN client network is (on the firewall is configured for the floating IP). Hence, when the traffic returns to F5 via floating IP, it reads that it never sent such traffic via floating IP and it sends a reset back to the firewall (which is then forwarded to the servers)

Is there a way on the virtual server config to force to use only floating IP and not the local interface?

Thank you for your response.

How to force to use floating IP
security

2 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 07, 2023

    Hi ZANOOB if the virtual server is set to take the source traffic of your lease pool and send it to the gateway, why would having snat enabled send the traffic somewhere else? I could be missing something, but if you create a snatpool of addresses for the lease pool to use and enable it on that virtual, I think that should solve your problem.

    • ZANOOB's avatar
      ZANOOB
      Icon for Cirrus rankCirrus
      Aug 29, 2023

      Hello JRahm,

      Thank you for your reply. Let me know try to explain.

      Question: Hi @ZANOOB if the virtual server is set to take the source traffic of your lease pool and send it to the gateway, why would having snat enabled send the traffic somewhere else?

      Answer: I have the IPV4 lease pool for /22 subnet in the connectivity profile and client receives the IP address. However when it leaves the F5 towards my firewall it uses the Self IP address of F5 towards the destination.

      VPN client IP---> F5 (source IP changes to f5 self IP)---> firewall ---> destination.

      My objective: is to keep the source IP (VPN client IP ) when leaving F5 towards the firewall and to the destination.

      Workaround I did: Created SNAT pool, same as IPV4 lease (as you mentioned above). However, the problem is the SNAT pool has many IPs and it does not need to match the same as the client IP when leaving F5 towards my firewall. 

      Trying to see if there is an iRule that i could use, so that the same SNAT pool IP is as the same as the VPN client source. So that when the packet reaches the firewall (exiting F5 towards destination), we still have see the same IP of client and not the any random IP from SNAT pool.

      Was chekcing an irule

      when CLIENT_ACCEPTED {
      switch -glob [IP::local_addr] {
      "17216.48.10" { snat 17216.48.10 }
      "17216.48.11" { snat 17216.48.11 }
      "17216.48.12" { snat 17216.48.12 }
      "17216.48.13" { snat 17216.48.13 }
      *AND SO ON TILL THE LEASE SUBNET*
      }}

      - Still need to test the irule though.

      But i dont get why there was no option/feature in F5 that will keep the source IP when exiting via self IP. I understand SNAT auto map and reserver routes. However, in my case the requirement is to keep the source IP as the client IP.

      Regards,

      Zanoob