Dedicated firewall interfaces for each pool, LTM config?

Question

I'm putting the LTM in an environment where we have dedicated firewall (FWSM) interfaces (along with corresponding ACLs) for each pool/farm and require that all traffic for a given farm flows through its respective firewall interface.

I've tried using VLAN groups and keeping the firewall interface and pool members in separate vlans but it just doesn't seem that reliable? I'm running into a situation right now whereby the modified (translucent) mac-address advertised by the ltm for a particular pool shows up on both the pool and firewall VLAN, preventing access to the servers directly. The virtual IP and self-IPs ping fine however. Any ideas on what could cause this?

I've resorted to keeping everything in the same VLAN and SNATing. However I'm wondering if it is possible to see the client IPs on the servers using this method?

Thanks,

-Ken

hamish · Answer

Ahh... Too me a few times through the question to understand what you're trying to do. You're trying to run as a transparent (Bridge) device? Correct? 
&nbsp;  
&nbsp;  
&nbsp;  I'm not even sure that's possible...  (ALthough VLAN groups are a method of briodging two VLAN's, I've never had a great deal of luck. Mainly because broadcasts don't seem to be forwarded. Although that may have been th eversion I was using).  
&nbsp;  
&nbsp; Why don't you simply run it as a router and then it becomes a lot easier. I run mine with 3 main interfaces. 1 for VS's, 1 (Or more) for backend servers, and 1 for plain routing to/from backend servers. Each is a different subnet. Traffic to the VS's are routed via the VS VLAN. Traffic to servers is routed via the 'routing' VLAN. Traffic FROM servers either follows auto last-hop or if initiated there is a default network VS that sends it via the next-hop gateway on the 'routing' VLAN. You can firewall backends from each other by ensuring there's no network VS that forwards between server VLAN's (The default would be the FWSM SVI itself). 
&nbsp;  
&nbsp; H

rcheeks_75965 · Answer

You could use XFF so the end point servers can see the real client IP address. 
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/solutions/public/12000/200/sol12264.html?sr=12488278 
&nbsp;  
&nbsp; This data is also available via cli on the LTM: 
&nbsp; bigpipe conn show all | more 
&nbsp;  
&nbsp; HTH, 
&nbsp; Roger &nbsp;

yammy1688_99834 · Answer

Posted By rcheeks on 02/02/2011 04:02 PM
&nbsp;
You could use XFF so the end point servers can see the real client IP address. &nbsp;
&nbsp; https://support.f5.com/kb/en-us/solutions/public/12000/200/sol12264.html?sr=12488278 &nbsp;
&nbsp; This data is also available via cli on the LTM: 
&nbsp; bigpipe conn show all | more &nbsp;
&nbsp; HTH, 
&nbsp; Roger &nbsp;

&nbsp;Hi Roger,&nbsp;&nbsp;We have a separate subnet per pool and each subnet has a dedicated firewall interface along with associated access-lists.  Due to this I cannot use the LTM as the gateway without using some trickery like source based routing. &nbsp;&nbsp;&nbsp;I just went ahead with a one-armed config.  Makes everything a lot simpler.  &nbsp;

Forum Discussion

Dedicated firewall interfaces for each pool, LTM config?

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

Application Programming Interface (API) Authentication types simplified

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy