We have an HA pair of VLMs configured in a DMZ network. We are struggling with creating firewall rules to allow the VLMs to connect to the real servers. Our real servers are in a different subnet to the 'inside' interface of the VLMs. Transparency is disabled on all VSs.
Internet <-> Firewall <-> VLM <-> Firewall <-> Internal (real servers)
eth0 = Internet arm
eth1 = Inside arm
When using tcpdump in the diagnostic shell I see traffic on eth1 towards the real servers, with the source address as the IP of the VS.
According to the documentation checking 'Subnet Originating Request' enables this behaviour:
"When transparency is turned off for a Virtual Service, the source IP address of the connections to the Real Servers is the Virtual Service. When the Subnet Originating Requests check box is selected, the source IP address will look like the local interface address on the Real Server’s subnet."
Whether or not I check the box for this parameter, the source address for traffic to the real servers is always the IP address of the VS.
My question is what is supposed to happen in this case? Can I use 'subnet originating requests' when my real servers are non-local?
Also, I've observed that the real server check traffic comes from the IP address of the individual node, not the VS address or the HA management address.