Forum Discussion

ecce's avatar
ecce
Icon for Cirrostratus rankCirrostratus
Nov 02, 2016

Can a VS redirect traffic away from itself?

Hi,

 

first post, be nice. ;)

 

Let's say an F5 appliance is proxying a couple of web servers on IPv4 address A. If there is an incoming request addressed to that IP, is it possible to redirect that traffic away from the appliance to a specified next-hop?

 

I know it sounds weird. The idea is to have ONE F5 appliance acting as both external and internal appliance, with a Firewall in the middle. An external request to IP A should be redirected to the firewall, if it passes the checks there it return to the F5, on another interface. THEN it should be delivered to the service connected to IP A.

 

I'm new to F5, did a quick lab and I could not get it to work, it does not forward traffic aimed to itself out an interface. But I've got about 4 days experience, and I'm under a bit of pressure to get this sorted out.

 

Thanks.

 

application delivery
http redirection
LTM
virtual server

2 Replies

Sort By
  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Nov 02, 2016

    Can you provide a diagram for better understanding ?

     

    You are probably looking to implement some kind of route-domain set up, if you want traffic to come back or may be this could be of help.

     

  • Greg_Labelle's avatar
    Greg_Labelle
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2016

    If you only have the single F5 (or a single HA Pair), then the best way to do this will be to setup two partitions, each with a unique routing group set as the default for the partition.

     

    One partition will be for "Internal", and the other "External". Using strict isolation you can prevent the routing groups from passing traffic between each other, thus forcing traffic to pass through the firewall.

     

    As an example, traffic hitting an external VIP would be proxied by a self ip in the external routing group. This IP not having a direct route to the internal IP (VIP or otherwise) will be forced through the default gateway of that routing group (or a static route) which could be your firewall, or a router employing a firewall IPhelper.