F5 Forwarding IP VS fun…

I have been recently spending lots of time with our F5 Big IP 2000s. We have been working on deploying a new private network behind the F5 with nodes that admin’s would like to directly access from their secure admin workstations. Our current setup has the nodes behind the load balancers using basic Virtual servers that forward the traffic from external routable IP’s to internal non-routable IP’s. Therefore I would need to create multiple VS’s per each node that admins wanted to access. That would be a lot of VS’s.

There are a few other clever ways to get around this, well maybe not necessarily clever. The first is using a jump server. The admins would access one VS that would forward to one pool member with one node in it. Then they could then access the other private nodes from this “jump” server. The other option would be adding another NIC to the admin workstations and put that NIC on the same VLAN that the private nodes sit on. Both of these are not the greatest ideas.

I therefore convened with an F5 tech guru and passed this idea by him. Could I have a router with a routed interface within the F5 private VLAN that has the F5 private nodes? I could then take the private non-routable network and make it routable protected by an ACL on the router. The nodes would still point to the F5 for the default gateway. When an admin workstation would communicate to the node, it would send the traffic through the router; the router would then forward packets to the node. The issue then lies with the node sending the traffic back to the F5 because it’s the default gateway and that creates issues. I found out from the tech that there’s a way to get this to work by using an IP forwarding VS that listens on the F5 private VLAN.

You will first need to make sure that your current nodes are not in an SNAT, as SNATs along with an IP forwarding VS configured on the same interface don’t work, as the SNAT listens over the IP forwarding VS. Within the VS, the source network would be the private node network and the destination would be the network where the secure admin workstations sit, which would be accessible across the router that I placed on the private node VLAN. Now, in order to get the F5 to forward to the router on the private node VLAN instead of using its routing table, you have to create an iRule as the Forwarding (IP) resource within the VS. Here’s the iRule syntax:

when CLIENT_ACCEPTED {

if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] }   {

nexthop internalvlannum 10.1.1.254

}

}

The 10.1.1.0/24 is the internal private node network that sits on the F5. The 10.1.1.254 address is the gateway of the router that’s sitting on the F5 private node network. This iRule forwards the traffic to the router instead of using the F5 to forward the traffic. You also have to assign a protocol profile (client)  Fast L4 profile to the forwarding (IP) VS as well with Loose initiate and loose close enabled to allow the tcp packets to flow correctly.