Hi,
Correct me if I am wrong (still figuring out those F5 stuff :-).
Wildcard PerformanceL4 VS on INTERNAL VLAN is ONLY necessary for handling traffic originating from servers on this VLAN (so connections from servers to Internet or other servers on LTM or behind LTM). They are not required at all for traffic coming from other VLANs via VS to servers on INTERNAL VLAN. That part is entirely managed by those VS.
Returning traffic from servers on INTERNAL is directed to LTM either by setting it's selfIP (floating for HA) on servers siting in INTERNAL as def gateway or by setting SNAT in the configuration of VS. SNAT set at VS level is not GLOBAL (opposite to SNAT defined as SNAT object - Local Traffic ›› Address Translation : SNAT List, but even this SNAt object can be limited to given VLAN or VLANs). It's only working for traffic passing given VS, that way source IP of traffic send from LTM is changed from some external IP to the IP of the subnet when internal servers are located, then it can be routed back to LTM without changing def gateway on servers.
Routing of this outgoing traffic is handled (most often) by Auto Last Hop of VS that is processing incoming traffic (so it memorizes MAC last hop and VLAN from which incoming packet was received and send reply using same MAC and VLAN). To create redundancy (or to solve some upstream devices issues) Last Hop Pool can be used instead, then pool of upstream devices can be set for redundancy (be aware - at least according to my test - Last Hop Pool is used ONLY for handling responses from serves to incoming traffic processed by VS, not for outgoing traffic initiated by internal servers).
If it's necessary to allow internal servers to access resources on Internet or outside of servers subnet then you can use:
Wildcard PerformanceL4 (could be as well Standard) VS - then for each different pool of upstream devices can be used. If I am not wrong as long as each such VS is enabled on different VLAN you can create as many of them as you have VLANs to be served. Sometimes SNAT will be used, to source outgoing traffic from LTM external IP (it depends I guess on upstream devices)
Wildcard servers can be very wide (All ports, All protocols) but can be as well more precise, i.e only UDP port 53 - to allow DNS traffic. That way different kinds of traffic can be routed and processed separately. So I guess those are much better option.
ForwardingIP VS - if all decisions about directing outgoing traffic should be based on LTMs routing table. I think it's not very sophisticated solution but sometimes enough.
SNAT object - then there is little control about anything except origin IPs and translation IPs (OK, VLAN enablement as well)
NAT - but only on per server basis (1 to 1 relationship between origin and NAT address)
If much stricter separation of traffic is necessary Route Domains can be created. With given settings traffic between different RD can be completely separated (Strict Isolation, Parent Name: None) with separate default gateways or even allowing to use exactly same IPs for more than one object (so VS in one RD can have the same IP as in different RD).
So again
- for traffic incoming to servers in internal no wildcard servers are necessary
- those are only necessary for traffic initiated by internal servers.
- VS and SNAT objects can be enabled on VLAN/s so they will only accept traffic from given VLAN - blocking inter VLAN communication
- RDs can be used to completely separate network configs on one device.
Well, hope it make sens and I avoided any serious mistakes here
Piotr