Forum Discussion

Kim_Kipp_49723's avatar
Kim_Kipp_49723
Icon for Nimbostratus rankNimbostratus
Sep 17, 2013

Global IP forwarding Feature -> greater v9

Hi,

 

I would like LTM to Act as a simple router between 2 VLANs. It should route any traffic such as TCP, UDP, ICMP and any other. I doesn't care about security because these vlans are just transfer networks and directly connected to a firewall on each side.

 

Test Setup:

 

...................................................................................................<--publicnet-->..................<--WAN-->

 

Web-Server <--custnet--> FirewallIG <-- transnet1--> F5 LTM.......................FirewallBG

 

...................................................................................................<--transnet2-->.................<--LAN-->

 

I don't want to use SNAT in that scenario. That's the goal.

 

  • LAN clients should be able to directly connect to Web-Server via FirewallBG, transnet2,F5 LTM, transnet1, FirewallIG, custnet. It should be just routed.

     

  • LAN clients should be able to connect to Web-Server by calling virtual server IP on publicnet via FirewallBG, publicnet,F5 LTM, transnet1, FirewallIG, custnet. Also ther should be no SNAT. Auto last hop feature should be able to handle the incoming request and send the request back to interface/gateway it's coming from.

     

  • WAN clients should only be able to connect to Web-Server by calling virtual server IP on publicnet via FirewallBG, transnet2,F5 LTM, transnet1, FirewallIG, custnet.

     

Is there any solution for that scenario?

 

In my opinion the global IP forwarding feature should be the right one, unfortunatelly it's not present anymore in version greater than v9.

 

I'm aware of SNAT, which will solve many issues, such as asymmetric routing, but I would like to have no NAt between, because of troubleshooting the web-servers access-list aso...

 

The Web-Server uses FirewallIG as default route.

 

Thanks...

 

5 Replies

  • No problem. See the 'Emulating Stateless IP Routing' section of SOL7595. Presumably your firewalls can handle security so you'll not need Packet Filters or iRules to limit access between hosts.

     

    Note that if your firewalls are using VRRP auto last hop probably isn't a good idea. I'll see if I can dig out the detail on that for you later.

     

  • Thanks for your reply. I tried this article before, it worked so far, but unfortunatelly it cannot handle/pass icmp packets, which is important to me. do you have any suggestion? the ltm should fully act as a router between these vlans without any limitations...

     

  • Have you checked the Port Lockdown feature and settings for each VLAN? There shouldn't be any limitations.

     

  • Found a mistake in Wildcard Virtual Server. I choose "TCP" (previously) instead of "*All protocols". After changing it to all protocols ICMP was running. Found no further limitations so far. My test scenario is currently running as I want. Just simple further test, but I don't expect any limitations. THX.