Tom,
I just solved for a similar issue in my environment. I added the below iRule like Tom suggested to my Forwarding IP (also below) that sends traffic out of the private VLAN (your VLAN10). I used the IP instead of MAC for nexthop since the default gateway of my LTM is an HSRP router pair. This PBR (policy-based-routing) iRule was the best answer for us because I have about 7 directly connected VLANs. These are used for 2-arm SNAT configurations to servers that exist on routed subnets that most of our LB traffic uses. Now tcpdumps show my traffic flows entering/leaving my private VLAN symmetrically and using the routed network even for directly-connected VLANS.
My private VLAN is only used when my application guys MUST have the clients' true IP. It is not part of my routed network. To allow for management and non-load-balanced traffic I am distributing a static route to this VLAN from the same routers that the LTM use as its default gateway. This worked fine until a private VLAN host needed to talk to a locally connected VLAN or the traffic flow crossed a firewall. My forwarding VS is only listening on the private VALN and has the private VLANs source subnet defined so it will only apply to traffic leaving host in that VLAN.
Forwarding IP vs:
ltm virtual vsfwd_LTM-ServerLAN_out {
description "Wilcard virtual server to allow LTM-ServerLAN traffic out to routed network"
destination 0.0.0.0:any
ip-forward
mask any
profiles {
pr_LTM-ServerLAN_out_fastL4 { }
}
rules {
ir_routed-traffic-nexthop
}
source 10.1.1.0/24
source-port preserve-strict
translate-address disabled
translate-port disabled
vlans {
*{Private-LAN}*
}
vlans-enabled
vs-index 30
}
iRule:
ltm rule ir_routed-traffic-nexthop {
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] } {
nexthop *{external VLAN with gateway}* 10.2.2.1
}
}
}
Nimbostratus
