Forum Discussion
Zoltan_101477
Nimbostratus
NimbostratusHealth monitor SNAT
Hi,
I'd like to know if anyone has ever created a custom health check application or script that would be able to test an external system sourcing from a SNAT instead of the self IP of the F5.
The NAT on the Firewall solution would not work, as other cases must not have NAT-ed there, just some specific health checks.
The F5 has private IP addresses on the external vlan.
The router also has a public subnet routed to the F5 external floating address.
So by picking one from that public subnet should be possible theoratically.
I'd need this to be icmp and tcp_half_open based if possible.
I think this could be a standard feature of the F5 to specify custom sourcing.
If anyone has done such thing before, please inform me.
Regards,
Zoltan
- The_BhattmanHi Zoltan,
Is the external system on the public subnet?
/CB 
hoolioCirrostratus
I don't think there is a way to specify a source IP address in a default monitor. You might be able to use an external monitor which references a custom script. Using netcat, you could specify a source IP/port. For your specific scenario, I'm not sure how this would work though. The IP you select for the source of the monitor traffic must be an IP that the BIG-IP will ARP for. It will only answer ARPs for IP's it's configured for. So I think you'd need to configure the source IP as a self IP address.
Aaron
Zoltan_101477Hi,
It's facing towards the external subnets, but not part of it.
It is part of a private subnet, and another public subnet is routed to the floating private IP, so the F5 can have public IP virtual servers, SNATs from the public range.
Regards,
Zoltan- Zoltan_101477Hi,
Even though the LTM doesn't have the subnet specified as a self IP and VLAN, it has the public subnet routed to it.
I have virtual servers and NAT/SNAT for those IP addresses, and I see the F5 responds to the ARP requests for those addresses.
I just think it would be a good feature to extend the transparent health check type to make it possible to originate from specific IP address other than the self IP.
I tried to use ping, tracepath, traceroute to use a different originating IP address, but it was not possible. I will look into the netcat that you proposed.
Regards,
Zoltan - The_BhattmanI concur with Aaron. I cannot get the BIGIP to use a snat for the monitors. The only thing I can think of is snating on a router or firewall before it hits the external system.
/cb - As you have discovered, SNATs & NATs apply only to load balanced traffic.
hoolio is, as usual, right on all counts.
I am wondering though why you can't use the external address and source NAT at the firewall, allowing only internally initiated requests for the external service ports in question? There should be no load balanced traffic sourced from the LTM selfIPs, just system requests like DNS, ssh/ftp outbound by an admin, that kind of stuff.
If you do want to go the external monitor route, this doc will be most helpful:
Click here
If you'd like to pursue this request: I just think it would be a good feature to extend the transparent health check type to make it possible to originate from specific IP address other than the self IP.you can open a case with F5 Support and request a CR (change request) be created (or there might already be a CR for it). This isn't a bad idea, so anyone who thinks it would be valuable, open a case to raise its visibility in Dev.
HTH
/deb
WolandHi! I got into the situation, where the feature mentioned by Zoltan (define a custom source IP for a monitor) would be very helpful. This thread was the only thing I was able to find about this problem. I'm on "bleeding edge" 11.4.1HF2 LTM running on Viprion vCMP. Maybe somebody has some information about that CR or even better about a new feature yet unknown to me. Sorry for reopening such an old thread. Thanks! Peter For the curious: - clients > f5 ltm > lots of routers > firewalls > server -the load balanced servers and the firewalls before them are at a remote location, people there only want to open 1 source IP for the access through those firewalls... -running a standard VS type and hiding every client request behind 1 SNAT IP which is the same as the VS IP
jpfino_183435did you get an answer?
