SMTP Load Balancing without SNAT

Do you have a network virtual server for 0.0.0.0/0.0.0.0 that will forward the outbound connections for you?

 

 

H

i don't really understand... sorry, i am a f5-newbie.

 

 

I have created a host virtual server which has the virtual ip of the ironports.

 

for this virtual server i have set SNAT-Pool to "none"

What Hamish is referring to is the fact that the LTM by default will deny any traffic that is not explicitly allowed. So if the Ironport servers are trying to initiate outbound connections through LTM as their gateway, there has to be some mechanism to let those packets go outbound through the LTM. The easiest thing to do is to set up the wildcard forwarding virtual server as he described, since normally you don't know what IP address the servers are trying to reach.

 

 

So you would create a new virtual server as type Network, with 0.0.0.0/0.0.0.0, port 0, and change it from Standard to Forwarding(IP). You can also enable it only on the internal VLAN so that traffic is only allowed outbound, not inbound. You will also need to make sure that LTM's gateway knows how to route traffic back to the Ironport source IP's through the external LTM address.

 

 

Alternatively, you could create a SNAT enabled on the internal VLAN that changes the outgoing source IP to an address on the LTM, then you don't have to worry about the routing back inbound. This may even be required in this instance if the mail servers that the Ironports are connecting to would possibly reject mail that does not appear to be coming from the "correct" IP address according to their reverse DNS lookups.

 

 

Hope this helps,

 

Denny

My question is similar to this scenario but in our case we do not need to know the origin ip address so we will be doing SNAT automap. The SMTP servers would be operating as a SMTP relay on a dmz. Internal servers will send their smtp request to an F5 virtual ip address which will then loadbalance between pool members.

 

 

For the outbound request to the destination email server flow as described above it was our intention to have the SMTP servers simply point as their default gateway the Firewall address and have the firewall NAT to a single public address. This I think will avoid the reverse lookup issue described above. My question is what is "best practice" here? Is there any value added by sending the outbound flow through the F5? Any other issue we need to be aware of in setting up these SMTP relay servers?

In your case with the outbound flow, I don't see any value in pushing them back through another LTM before the firewall translates them. The initial LTM has the opportunity to catch/mod anything necessary anyway before hitting your dmz relays.