F5 Issue

i am not sure what reversenpath means. anyway, when load balancing transparent device e.g. router or firewall or etc, pool is that transparent device.

what is the meaning of the below iRule?

 

 

rule ip_snat_decision_selective_snat_vlan12 {

 

when LB_SELECTED {

 

if { [IP::addr [IP::remote_addr] equals 10.0.0.0/8] } {

 

snatpool vlan12_sp

if traffic is coming from 10.0.0.0/8 subnet, translate source address to address in vlan12_sp snatpool.

 

< if traffic is coming from 10.0.0.0/8 subnet >

 

 

does it mean, traffic coming from the client side? or coming from the pool server side?

 

 

If this iRule is applied to the below virtual, what will happen?

 

 

virtual reversenpath_vlan20_vs {

 

snatpool vlan12_sp <<<<<

 

pool reversenpath_vlan25_pl <<<<<

 

destination any:any

 

mask 0.0.0.0

 

profiles fastl4_reversenpath_default {}

 

vlans 20 enable

One more question nitass,

 

 

Snat pool, as i see, is used to change client initiated src-ip towards F5.

 

 

Can the same Snat pool be used to change the src-ip of the packet initiated from the pool server with default gwy as F5 towards internet?

 

 

genseek

 

nitass,

 

 

any updates?

does it mean, traffic coming from the client side? or coming from the pool server side?client side.

 

 

If this iRule is applied to the below virtual, what will happen?if client in 10.0.0.0/8 subnet sends traffic to virtual, bigip will translate source (client) address to one in vlan12_sp snatpool when sending traffic to pool.

 

 

Can the same Snat pool be used to change the src-ip of the packet initiated from the pool server with default gwy as F5 towards internet?yes but you must have object listener such as virtual server listening on incoming vlan e.g. pool server's vlan.

nitass, can you help me to understand the below configuration

 

 

 

vlans {

 

 

vlan_20

 

 

}

 

 

self 10.1.1.50 {

 

netmask 255.255.254.0

 

vlan vlan_20

 

 

self 10.1.1.17 {

 

netmask 255.255.254.0

 

unit 1

 

floating enable

 

vlan vlan_20

 

 

vlan vlan_20 {

 

tag 11

 

mac masq xxxxx

 

failsafe enable

 

timeout 45

 

failsafe failover

 

trunks tagged xxxxx}

 

 

profile fastL4 fastl4_reversenpath {

 

defaults from fastL4

 

idle timeout 60

 

loose initiation enable

 

loose close enable

 

 

 

pool reversenpath_vlan20 {

 

members 10.1.1.1:any {}

 

 

snatpool smtpsnat {

 

members 3.3.3.3

 

}

 

 

pool reversenpath_20 {

 

members 3.3.3.1:any

 

 

virtual reversenpath_vlan20_vs {

 

 

pool reversenpath_vlan20

 

 

destination any:any

 

 

mask 0.0.0.0

 

 

rules rule1

 

 

profiles fastl4_reversenpath {}

 

 

vlans vlan_20 enable

 

 

 

rule rule1 {

 

 

when CLIENT_ACCEPTED {

 

 

if destination is 20.0.0.0/8 do not SNAT

 

 

elseif dest prt is 25, or src prt 1024-2000 SNAT 3.3.3.3

 

 

else SNATPOOL 3.3.3.4-10

 

 

if { [IP::addr [IP::local_addr]/8 equals 20.0.0.0] }{

 

 

snat none

 

 

}

 

 

elseif { ([TCP::local_port clientside] equals 25 ) or (([TCP::client_port] >=1024) and ( [TCP::client_port] <=2000)) }{

 

 

snatpool ftpsnat_2020_sp

 

 

pool reversenpath_2020_FE_pl

 

 

}

 

 

else {

 

 

snatpool smtpsnat

 

 

pool reversenpath_20

 

 

}

 

 

}

 

 

A server with dual NICs with 1 NIC in private and other in public range iis not able to access internet. Trace from the server to internet is getting dropped at upstream router.

 

 

Can you plz check if all F5 config is fine and not preventing the server from accessing the inet.

 

A server with dual NICs with 1 NIC in private and other in public range iis not able to access internet. Trace from the server to internet is getting dropped at upstream router.server's private nic is in vlan20 which is 10.1.1.0/23 subnet, isn't it?

 

 

what snatpool and pool do server use when going to internet? is it snatpool smtpsnat and pool reversenpath_20?

 

 

if so, have you added route for 3.3.3.3 to bigip at upstream router?

yes, route has been added for 3.3.3.3 in upstream router.