Have a series 9 BigIP do switching instead of SNAT

Hi Panos,

 

 

LTM preserves the client's source IP without SNAT. So if you turn off SNAT and don't get a response back from the server, the most likely explanation is that the servers either do NOT have their default gateway set as the LTM, or they have some other route to get back to the client address (2nd NIC, static route, etc) and are bypassing their default gateway.

 

 

You can troubleshoot this by using tcpdump on the LTM's command line:

 

 

tcpdump -i host

 

 

will show you the traffic flow to and from that particular host, so you can see whether traffic is going to that server from LTM and whether or not it returns. You can use other filters (port, protocol, etc) to refine the tcpdump statement if you need to (type man tcpdump for a list of all the options).

 

 

Denny

 

 

Hi Denny,

 

 

Thanks for the reply - I will test this again in the morning with tcpdumps but just to clarify:

 

 

By turning off snat you mean both on the virtual server and the pool that the virtual server uses correct?

 

I am positive that the servers have the LTM as their default gateway with no other routes they can use to get to the client ip.

 

 

That was my initial guess also, that turning off snat would do what I want and was very confused when it didn't work.

 

 

Panos

I'm not sure where you are seeing an option for configuring SNAT on the pool, (other than disabling it), the actual configuration is on the virtual. Unless there's a new option in 9.4.4 that I haven't noticed yet...

 

 

Anyway, you want to make sure there's no global SNAT's defined under the SNAT tab, and then under Advanced on the virtual server SNAT Pool is set to None.

 

 

You don't want to disable address translation though (the virtual still needs to translate the destination address from itself to the pool member). So that should remain checked.

 

 

Then hopefully tcpdump can give you some more clues if that's still not working.

 

 

Denny

 

 

Hi again,

 

 

Well I got it working with snat off but the problem now is how do you get the BigIP to act as a gateway if you don't define a default snat for the external vlan? Because right now unless there's a snat defined and bound to the external vlan then the clients which have the BigIP as their default gateway don't get internet access, ie they don't get a response back from any destination IP routed through the BigIP.

 

 

Any ideas?

Are you talking connections into the servers from external, or connections being initiated by the servers?

 

 

Easiest way is to ensure that all traffic passes through the F5...

 

 

However if you get creative you can ensure that outbound connections from servers to external where only the packets from external to internal pass through the F5 work by using loose open/loose close in the protocol (TCP/SCTCP/UDP/Either) profile on the VS that is hit for the return traffic... (Otherwise the packets get dropped because they're not following the usual SYN/SYNACK/ACK sequence).

 

 

The other thing to watch for is asymmetric routing... Asymmetric routing doesn't work on F5 unless you disable the PVA (And also requires asettingin the DB IIRC).

 

 

H

 

 

H

Do you have a forwarding virtual server defined? BIG-IP is a default deny box, just like a firewall, so if you aren't specifically allowing traffic to pass, then it won't.

 

 

So if you want to allow the servers to initiate outbound connections without a SNAT, you need a forwarding virtual server. I typically use a wildcard one (0.0.0.0:0 - type IP forwarding - all protocols) because you don't know what the destination networks might be. You can enable it only on the internal VLAN if you don't want outside traffic to be forwarded inbound (or leave it enabled on all VLANS if you do).

 

 

You also need to make sure that whatever BIG-IP's gateway is knows how to route back to the network that's behind BIG-IP, since BIG-IP will be preserving the server's source IP when it forwards traffic outbound. Typically that would be a static route to the internal network pointing to the BIG-IP's external floating address (for a redundant pair).

 

 

Denny

I should also add that you could just add a global SNAT that is only enabled on the internal VLAN, so that only outbound connections are SNAT'ed. I just typically favor the forwarding/routing approach because it usually makes server admin easier.

 

 

Denny