Forum Discussion
NimbostratusiRule for 1-to-1 NAT
I have two ISP connections (ISP 1 and ISP 2) setup in a wildcard outbound VC called Internet. Creative I know. I also have a single NAT setup for a Polycom Teleconference unit. I used a NAT to keep it on ISP1 only for inbound traffic reasons (better bandwidth). The problem is that randomly the polycom does not work. After testing we found that the outbound traffic is still load balancing (ie going out the wrong connection sometimes), so when traffic leaves through ISP 2, video stops working.
NAT inside 10.10.7.3 to outside 123.123.123.111
Tech support recommended an iRule but I can't seem to get this to work. So, I have the following rule added to the Internet VC:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.7.3 ] }{
snat 123.123.123.111
pool ISP1-Only
}
}
*(ISP1-only pool only has the ISP1 gateway in it.)
Any ideas on what is going wrong?
Thanks,
Todd
11 Replies
Mohamed_LrhaziAltocumulus
I would start by adding a log statement to that CLIENT_ACCEPTED, to log the client IP and make sure it actually is matching.
You should not need the snat statement, since you already have a NAT defined globally, right?
What_Lies_Bene1Cirrostratus
Can you explain what 'can't get it to work' means in more detail please, if removing the snat statement doesn't solve your issue.
Todd_93078I removed the SNAT but no change. I will start reading up on the log statement to see how that works. Sorry, really new to this still.
As for the problem. Inbound traffic uses the NAT just fine but outbound traffic will sometimes leave through the other ISP. The return packet does not match so the session never starts. I had assumed that the NAT would force traffic from the internal target out the same outbound interface but the wildcard Virtual Server is grabbing the traffic instead. I want to load balance other traffic, not the traffic for this unit.- What_Lies_Bene1For the IP address logging, I'd put this before the first if statement;
log local0. "Client IP address is: [IP::addr [IP::client_addr]]"
I'd also put this after the pool statement;
log local0. "Selected pool member: [LB::server]" - Todd_93078Sorry,
Found the problem. Our design engineer had us disable NAT on the outbound pool earlier. Turns out our traffic was leaving with the 10. address still in the packet. After a webinar with support we finally found it, with the logging you guys provided of course.
Thank you! - What_Lies_Bene1Good stuff, you're welcome.
- Todd_93078Well turns out I just broke the return traffic, now that we tried to use it for inbound calls. Is there a way to use a "nat 123.123.123.111" statement instead of snat? I was trying to keep this simple and I have no idea how to create a 1-to-1 IP rule with virtual servers yet.
-Todd - What_Lies_Bene1The return traffic? Inbound calls? Are you initiating connections from the server now too? Please clarify the traffic flow which does and doesn't work.
- Todd_93078Sorry for the confusion,
The outbound traffic (10.10.7.3 to "internet) now works fine with the SNAT and iRULE
The inbound traffic (123.123.123.111 to device) does not work.
Originally I was using a NAT because it was simple and all encompassing. Inbound calls to the teleconference unit worked fine. The outbound did not work, some of the time. Adding the iRULE to the outbound VS fixed the outbound traffic to always work but I had to remove the NAT to add the SNAT pool. Can't have the same IP in both places. At the moment I am trying to reproduce the NAT rule with VS instead. Is there a tech article somewhere that walks through a 1-1 IP based VS by any chance? - Todd_93078FYI,
For anyone with the original problem. Here is my solution:
SNAT pool for each Teleconference unit-
Tele-Pool-1 - 123.123.123.111
Tele-Pool-2 - 123.123.123.112
Tele-Pool-3 - 123.123.123.113
Tele-Pool-4 - 123.123.123.114
Contents of the "Tele-Out" iRule
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.7.1 ] }{
snat 123.123.123.111
pool ISP1-Only
} elseif { [IP::addr [IP::client_addr] equals 10.10.7.2 ] }{
snat 123.123.123.112
pool ISP1-Only
} elseif { [IP::addr [IP::client_addr] equals 10.10.7.3 ] }{
snat 123.123.123.113
pool ISP1-Only
} elseif { [IP::addr [IP::client_addr] equals 10.10.7.4 ] }{
snat 123.123.123.114
pool ISP1-Only
} else {
pool default_gateway_pool
}
}
On the outbound "internets" VS I then added the "Tele-Out" iRule
