SRX Services Gateway
Highlighted
SRX Services Gateway

Forwarding traffic to F5

‎03-03-2013 03:17 AM

Hi all,

 

I'm trying to lab up this http://www.scottyob.com/pub/Untitled-15-20130303-211854.jpg such that only traffic that should be load balanced hits the F5.  I'm trying to avoid SNAT using filter based forwarding.  So far I've come up with the following config: http://pastebin.com/pRwAkCcN 

 

HTTP traffic to the VIP address on the F5 1.1.1.10 gets re-written then sent to my back-end web-server 1.2.3.4.  I can see the web server receiving the packet from the external host 10.69.69.10 then I can see replies attempted to be sent back.  Running tcpdump on the F5, it never gets the packets from 1.2.3.4 so never gets a change to replace the destination address.  Instead I get the following errors in my trace http://pastebin.com/TyvMAVJw 

 

I'm pretty new to this policy based routing so am having a hard time trying to decipher why it's dropping those packets instead of forwarding it to the next-hop 1.1.1.2 (the F5).  Help would be much appreciated here 🙂

 

Thanks,

Scotty O'Brien

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Forwarding traffic to F5

‎03-04-2013 06:32 AM

Hi Scotty,

 

Seems relatively simple - issues I can see:

 

  1. Your firewall filter should reference tcp source portas that's what it will see on the return traffic (i.e. the traffic from the client/F5 to the web server has a destination port of 80, the return traffic has a source port of 80:

    firewall {
        filter f5-forwards {
            term HTTP {
                from {
                    protocol tcp;
                    source-port 80;
                }
                then {
                    routing-instance F5;
                }
            }
            term accept {
                then accept;

            }

        }
    }

     

    The rest of the firewall filter looks fine.

     

  2. Your routing instance looks fine but I'm not 100% sure what you're trying to do with the policy options. The normal way of doing FBF is with a rib group to share the interface routes with the forwarding instance (if you don't do this it can't resolve the next hop):

     

    routing-options {

        interface-routes {

            rib-group inet fbf-rib;

        }

        rib-groups {

            fbf-rib {

                import-rib [ inet.0 F5.inet.0 ];

            }

        }

    }

     

    You shouldn't then need any of the policy-options hierarchy.

     

    The only problem with this is if your clients are directly connected to the subnet on fe-0/0/0.0 - importing all the interface routes above will mean we have a connected route to the client which will override the static route. To overcome this we can selectively import interface routes by keeping the configuration above and adding an import policy to fbf-rib:

    policy-options {
        policy-statement f5-connected-only {
            term 1 {

                from {

                    route-filter 1.1.1.0/24 exact;

                }

                then accept;

            }

            term 2 {

                then reject;

            }

        }

    }

     

    You then need to apply this to fbf-rib and you should be good. I think this is what you're trying to do with policy-options in your config. You can see if it's working by running show route - your F5 instance should show a direct route and a static route.

Hope that helps!

 

Gavin

JNCIE-SEC #47, JNCIS-ENT, JNCIS-SA, JNCIS-AC, JNCIA-IDP, JNCIA-FWV
Highlighted
SRX Services Gateway

Re: Forwarding traffic to F5

‎03-04-2013 01:38 PM

Hi Gavin,

 

Getting closer I think.  Playing with tcpdump I still might be a bit lost on how this filter works.  The docs seem to say it's by packet, but I'm thinking it might be per flow or session perhaps?  Now if a request is made to the VIP ip 1.1.1.10, the Big-IP F5 will replace the destination IP to 1.2.3.4 and forward the connection on, but instead of the responses coming back through the F5, they get sent right back to userland from 1.2.3.4

 

I've been playing with this config to test, that is, any packets that come from the web servers get re-routed to the F5 (where I should see them with tcpdump).  If I ping from userland directly to the webserver (1.2.3.4), the ICMP responses come back through fine and never touches the F5, however if I initiaite the pings from the webservers to userland (1.2.3.4->10.69.69.10) then the ICMP requests will be re-routed to the F5.  

 

Thanks for your help so far, I can see how it works now when I do a "show route".  Always learning 🙂

 

 

Highlighted
SRX Services Gateway

Re: Forwarding traffic to F5

‎03-04-2013 03:21 PM

You are right, this is per packet.  Moving the filter from "input" from the webservers and to "output" back to userland seems to do the trick.

 

My final config is at http://paste2.org/p/3045149 🙂

 

 

Highlighted
SRX Services Gateway

Re: Forwarding traffic to F5

‎03-05-2013 06:44 AM

Hi Scotty,

 

For the user sessions that are being controlled here, does the user initiate a session to the F5 Virtual Server IP or to the Web Server IP that you then bend into the F5 using the routing instance?

 

I thought the user traffic went straight to the F5 VS and you only needed FBF for the return traffic, but in your latest config you're using FBF to send the initial session to the F5 as well, which makes me think the user initiates a session to the real web server and the F5 is configured with a network VS? That might explain the behaviour, as your session table might be messed up in that case.

 

Gavin

JNCIE-SEC #47, JNCIS-ENT, JNCIS-SA, JNCIS-AC, JNCIA-IDP, JNCIA-FWV
Feedback