For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dee_21520's avatar
Dee_21520
Icon for Nimbostratus rankNimbostratus
Oct 03, 2011

iRule - Force a host to out a specific link advise

Hi,

 

 

we have f5 load balacers runing v9 at moment and have a simple irule as follows:

 

 

map24_Outbound_Routing

 

Version 1.0

 

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::local_addr] equals $::map24] } {

 

if { [LB::status node 85.13.136.97] eq "up" } {

 

snat 85.13.136.100

 

node 85.13.136.97

 

} else {

 

snat 195.74.174.10

 

node 195.74.174.1

 

}

 

} else {

 

pool default_gateway_pool

 

}

 

}

 

 

we have a data group called map24 with Ip addresses of third party, and the irule is applied to default gateway virtual server

 

 

the rule ensures all traffic destined for map24 is going via their internet pipe.

 

 

----------

 

 

i need to add a new irule to push traffic for another company via another pipe so i created a irule and data group same as above but different names and associated to default gateway virtual server.

 

 

when i do this traffic for the first one stops completely, if i remove from default gateway first one works again.

 

 

does this mean i am only allow one irule per default gateway?

 

 

how can i do this so one site uses one internet pipe and another uses another (reason is third party have restricted access from one IP only)

 

 

will this work?

 

 

map24_Outbound_Routing

 

Version 1.0

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::local_addr] equals $::map24] } {

 

if { [LB::status node 85.13.136.97] eq "up" } {

 

snat 85.13.136.100

 

node 85.13.136.97

 

} else {

 

snat 195.74.174.10

 

node 195.74.174.1

 

}

 

} else {

 

pool default_gateway_pool

 

}

 

 

if { [matchclass [IP::local_addr] equals $::new] } {

 

if { [LB::status node 100.100.100.100] eq "up" } {

 

snat 100.100.100.102

 

node 100.100.100.100

 

}

 

}

 

}

 

 

if not please can someone advise,

 

 

thanks

 

dee
application delivery
dev
devops
iRules

8 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 03, 2011
    does this mean i am only allow one irule per default gateway?

    no

    can u try this?

    by the way, shouldn't it be IP::remote_addr? 

    when CLIENT_ACCEPTED { 
   if {[matchclass [IP::local_addr] equals $::map24]} { 
      if {[LB::status node 85.13.136.97] eq "up"} { 
         snat 85.13.136.100 
         node 85.13.136.97 
      } else { 
         snat 195.74.174.10 
         node 195.74.174.1 
      } 
   } elseif {[matchclass [IP::local_addr] equals $::new]} { 
      if {[LB::status node 100.100.100.100] eq "up"} { 
         snat 100.100.100.102 
         node 100.100.100.100
      } 
   } else { 
      pool default_gateway_pool 
   } 
}
  • Dee_21520's avatar
    Dee_21520
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2011
    Hi,

     

     

    just noticed the local_addr should be remote_addr.

     

     

    what is the difference between the two as it has been working fine with original one?

     

     

    Dee
  • Dee_21520's avatar
    Dee_21520
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2011
    Hi,

     

     

    also why can i not just have a completely separate irule per request? so i would associate two to the default gateway.

     

     

    as when i did this before it stopped working.

     

     

    dee
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 03, 2011
    as when i did this before it stopped working.not sure what going on but i think "map24" data group could work. anyway, u said it did not.

     

     

    also why can i not just have a completely separate irule per request? so i would associate two to the default gateway.yes, u can. i merged two if-clauses together since the 1st if-clause has default else which "new" data group would match which i think it should not i.e. it should match the 2nd if-clause.
  • Dee_21520's avatar
    Dee_21520
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2011
    Hi,

     

     

    Thanks for this, i will try abit later just in case it doesn't work and interrupts service again.

     

     

    so with the above map 24 would use one internet pipe and new would another pipe...correct?

     

     

    dee
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 03, 2011
    so with the above map 24 would use one internet pipe and new would another pipe...correct?i think so.
  • Dee_21520's avatar
    Dee_21520
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2011
    Hi.

     

     

    I used the below as mentioned and with this the first bit stopped working completely (map24 not passing any traffic) and the second one started working (new)

     

     

    when CLIENT_ACCEPTED {

     

    if {[matchclass [IP::local_addr] equals $::map24]} {

     

    if {[LB::status node 85.13.136.97] eq "up"} {

     

    snat 85.13.136.100

     

    node 85.13.136.97

     

    } else {

     

    snat 195.74.174.10

     

    node 195.74.174.1

     

    }

     

    } elseif {[matchclass [IP::local_addr] equals $::new]} {

     

    if {[LB::status node 100.100.100.100] eq "up"} {

     

    snat 100.100.100.102

     

    node 100.100.100.100

     

    }

     

    } else {

     

    pool default_gateway_pool

     

    }

     

    }

     

     

     

     

    please advise what is wrong.

     

     

    thanks

     

    dee
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 06, 2011
    can u put some log command in the irule and capture packet while problem is happening?

     

     

    tcpdump syntax could look like this:

     

    tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap

     

     

    by the way, it is [IP::remote_addr] indeed, isn't it?