Table of Contents
So far and throughout the course we learn how to use F5 as a load balancer, but it can also be configured as a gateway, giving the servers behind F5 the capability to access the Internet and other networks via F5 BIG-IP device.
This can be configured using a IP forwarding virtual server.
F5 as a Gateway/NAT device
During the course we always used F5 BIG-IP as a load balancer. In other words, clients over the Internet connect to the BIG-IP virtual IP. BIG-IP forward the request to the appropriate server according to the load balancing algorithm.
But in the lesson we want to learn how to use F5 as a gateway.
In other words, the servers’ gateway points to the F5 BIG-IP and they can connect to other networks and also the Internet via routing and NAT capability of the F5 BIG-IP device.
To use F5 as a gateway, we use IP forwarding virtual server in the BIG-IP configuration.
F5 IP Forwarding Virtual Server Example
Before we start configuring F5 as a gateway, let’s first make sure that routing through F5 doesn’t work by default.
If you remember, our F5 BIG-IP has two main interfaces, “internal” with IP address, “192.168.10.1” and “external” with IP address “192.168.1.186”.
I have a virtual machine connected to the internal interface of BIG-IP with the IP address in the subnet 192.168.10.0/24 and the gateway 192.168.10.1 pointing to the F5 BIG-IP.
When we try to connect to the Internet or other networks via F5 BIG-IP, the connection is not established.
In order to connect to the Internet via F5 BIG-IP, in addition to routing, NAT must also be configured.
Therefore, I first configure a NAT pool that must be used in the IP forwarding virtual server.
Here I configure a NAT pool with two IP addresses in the F5 external subnet.
To route traffic through F5 BIG-IP, it is required to configure a virtual server with the type of “Forwarding (IP)”. So far we have used always “Standard” virtual server type which is used for load balancing.
In the “Source Address” section, we configure the IP address of the subnet that is allowed to forward via F5 BIG-IP.
In the “Destination Address/Mask” section, we configure “0.0.0.0/0” because the servers behind F5 BIG-IP wants to connect to the Internet.
In the “Service Port” and “Protocol” sections, we select “All Ports” and “All Protocols” since we do not want to limit the servers in Internet connectivity.
We limit the VLAN that is allowed to connect to the Internet to “internal”.
And finally, we enable “Source Address Translation” to translate the traffic to the addresses configured in the NAT pool.
Now we can check the connectivity of the servers behind the F5 device again.
As expected, connectivity is now possible via the F5 BIG-IP device.
It is also possible to monitor the new IP forwarding virtual server through LTM module statistics, which displays traffic and connection statistics managed through the virtual server.
It is also recommended to monitor SNAT translation using LTM module statistics to ensure that NAT is also working properly.
The output shows how many bits, packets and connections are translated into each address configured in the SNAT pool.