Reverse nPath implementation
Here is my scenario:
All our webservers and application servers behind our LTM4000 need some access to the outside world. We would rather control that outside access via our firewall. The BigIP seems to not have the fine-grained access control we want. So I am reading into reverse nPath scenarios where all traffic destined to the F5, as a gateway, would be forwarded to the firewall interface on the same subnet. The firewall would route/net/forward/etc traffic and you would end up with a little bit of asymmetric routing. But this shouldn't be a bad thing in this situation. It would allow us to not have to run local routes on each machine and not have to worry about the F5 acting as a firewall for outbound connections for us.
I found this write-up via a peer:
- The virtual is enabled on the vlan that your servers live on.
- Destination is any IP, any port, as opposed to an actual Virtual IP and port.
- In this example, the idle timeout is disabled. This is sometimes necessary when the servers keep long-standing outbound sockets that must be permitted to sit idle. (reset on timeout disable – in earlier 9.x builds this was implicit. Upgrades to some later builds broke this and the line needed to be explicitly added.)
- Reverse nPath can also be used with SNAT. In this instance, SNAT is not being used and thus “loose initiation” and “loose close” need to be enabled since the Load Balancer only sees half of the conversation.
virtual reversenpath_virt_name_vs {
pool reversenpath_pool_name_pl
destination any:any
mask none
vlans 172.16.5.0_24 enable
profiles fastl4_reversenpath_default_pr
}
pool reversenpath_pool_name_pl {
members 172.16.5.1:any
}
profile fastL4 fastl4_reversenpath_default_pr {
defaults from fastL4
reset on timeout disable
idle timeout 60
loose initiation enable
loose close enable
}
Does this seem reasonable? Am I missing anything? I'm trying to set this up and having various issues so I'm not sure where to start.