Forum Discussion
NimbostratusiRule : snatpool first or pool member selection first
i have a iRule like below
iRule_mail_snat
when CLIENT_ACCEPTED {
if {[IP::remote_addr] equals "202.1.1.1"} {
snatpool snatpool_A
pool Pool_A
} elseif { [IP::remote_addr] equals "202.1.1.2"} {
snatpool snatpool_B
pool Pool_B
} else {
snatpool snatpool_normal }
}
------------------------------------
Snatpool_normal
snatpool_normal {
member 1.1.1.1 2.2.2.2
}
-----------------------------------
if there is a virtual attach the above iRule and then the pool assigned called "pool_normal".
pool_normal {
member 1.1.1.254:0
memeber 2.2.2.254:0
memeber 3.3.3.254:0
}
what is the decision for F5 when the traffic going through this iRule ? ( for snatpool_normal , pool_normal )
1) F5 will select the snatpool according to the iRule , then select the corresponding pool member in pool.
2) F5 will select the pool member and select the correspond snatpool_normal.
if case 2 , that will be an issue, the situtaion like F5 select 3.3.3.254. however, the snatpool_normal do not have the corresponding Ip address subnet.
what can F5 do ? drop the packet ? just choose one of them from the snatpool ?
5 Replies
What_Lies_Bene1Cirrostratus
Basically, if the client source IP address isn't 202.1.1.1 or 202.1.1.2 then snatpool snatpool_normal will be used and the Default Pool assigned to the Virtual Server will be used.
Because you are doing this in the CLIENT_ACCEPTED event, I don't think the order matters at all.
To be blunt, don't use member 3.3.3.254 if it's an issue. However, keep in mind the SNAT IP doesn't need to be in the same subnet/network; you just need to ensure the server has a route back to the SNAT address via the F5. You could use 192.168.1.1 if you wanted, as long as the servers and hops inbetween route that IP back to the F5.
Martin_58375Thanks !!!
If the packet go out to 1.1.1.254:0 and use 1.1.1.1 for snat ,
the traffic works properly.
if the packet go out to 3.3.3.254:0 and use 1.1.1.1 for snat,
F5 will reset the packet.
That means the snatpool is not set properly.
For snat , F5 will choose the most specific one.
Am i right ?- What_Lies_Bene1You could specify any SNAT address you liked, the F5 wouldn't reset anything unless the traffic behavior/routing back to it was wrong.
What IPs are in the SNAT Pool? Does server 3.3.3.254 have a route back to 1.1.1.1 via the F5, on the same VLAN? - Martin_58375
3.3.3.254 and 1.1.1.1 is different VLAN.
that meant the packet go out from interface 1.1
and then the reply packet will go to interface 1.2 .
then the packet is reset.
this is what you say in the first sentence.
Thanks !!!
- What_Lies_Bene1OK, understood. Yes I did, the point I'm trying to make is, if you use an SNAT IP address that is routed back to the correct F5 interface it doesn't really matter what it is. So, you can either change the routing as necessary to ensure traffic returns to the correct interface, modify your iRule and use an SNAT pool that will be routed back correctly or not use 3.3.3.254.
The behavior you are seeing is correct and expected. You need to decide on and implement a configuration that will work. I'm happy to help here.
