Notice: Trying to access array offset on value of type null in /var/www/empirion/wp-includes/class-wp-block-supports.php on line 94
Notice: Trying to access array offset on value of type null in /var/www/empirion/wp-includes/class-wp-block-supports.php on line 96
f5 Default Gateway
This article walks through how to configure an f5 default gateway for your internal (or external!) machines.
Often, SNAT automap, a SNAT address or SNAT pool is used to essentially “hide NAT” the incoming packet behind the BigIP which will mean that the server will reply directly back to it; this doesn’t work or isn’t wanted for some environments though.
If the packet is passed through the f5 and still contains its original (internet routable) client source IP then the back-end server will send its reply to the default gateway and if this *isn’t* the BigIP then we will have asymmetric routing which is never pleasant at the best of times. This is therefore an example scenario where using the f5 as a default gateway would be convenient.
This is actually a “Forwarding (IP)” Virtual Server which will listen on all Self IPs but you can (and most certainly should) lock this down on a VLAN basis for security.
- Name your virtual server, in this case “s_gateway”
- Specify a source address – this is optional but if you leave it blank it will default to 0.0.0.0/0 meaning it will accept connections from ALL IP addresses whether internal or external. As this is a MAJOR SECURITY RISK you should lock it down to the subnets you want to accept connections from, in this case we have used “10.5.5.0/24” – connections from all other address ranges will be silently dropped
- Destination – you can lock this down to a specific network but for a default gateway we want to allow everything so this is “0.0.0.0/0”
- Set ports to “*” to accept connections to any port.
- Unless you only wat to allow TCP & UDP, drop the Protocol menu down and choose “All Protocols”
- Select the VLANs you want to enable this on (optional)
- Enable SNAT Automap – this essentially hides connections behind the BigIP -you could also use a SNAT pool or address