F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Todd_93078's avatar
Todd_93078
Icon for Nimbostratus rankNimbostratus
Oct 22, 2012

iRule for 1-to-1 NAT

I have two ISP connections (ISP 1 and ISP 2) setup in a wildcard outbound VC called Internet. Creative I know. I also have a single NAT setup for a Polycom Teleconference unit. I used a NAT to keep it on ISP1 only for inbound traffic reasons (better bandwidth). The problem is that randomly the polycom does not work. After testing we found that the outbound traffic is still load balancing (ie going out the wrong connection sometimes), so when traffic leaves through ISP 2, video stops working.

 

NAT inside 10.10.7.3 to outside 123.123.123.111

 

Tech support recommended an iRule but I can't seem to get this to work. So, I have the following rule added to the Internet VC:

 

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::client_addr] equals 10.10.7.3 ] }{

 

snat 123.123.123.111

 

pool ISP1-Only

 

}

 

}

 

 

*(ISP1-only pool only has the ISP1 gateway in it.)

 

 

Any ideas on what is going wrong?

 

 

Thanks,

 

Todd

 

application delivery
dev
devops
iRules

11 Replies

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 22, 2012
    I would start by adding a log statement to that CLIENT_ACCEPTED, to log the client IP and make sure it actually is matching.

     

     

    You should not need the snat statement, since you already have a NAT defined globally, right?

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 23, 2012
    Can you explain what 'can't get it to work' means in more detail please, if removing the snat statement doesn't solve your issue.
  • Todd_93078's avatar
    Todd_93078
    Icon for Nimbostratus rankNimbostratus
    Oct 23, 2012
    I removed the SNAT but no change. I will start reading up on the log statement to see how that works. Sorry, really new to this still.

     

     

    As for the problem. Inbound traffic uses the NAT just fine but outbound traffic will sometimes leave through the other ISP. The return packet does not match so the session never starts. I had assumed that the NAT would force traffic from the internal target out the same outbound interface but the wildcard Virtual Server is grabbing the traffic instead. I want to load balance other traffic, not the traffic for this unit.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 23, 2012
    For the IP address logging, I'd put this before the first if statement;

     

     

    log local0. "Client IP address is: [IP::addr [IP::client_addr]]"

     

     

    I'd also put this after the pool statement;

     

     

    log local0. "Selected pool member: [LB::server]"
  • Todd_93078's avatar
    Todd_93078
    Icon for Nimbostratus rankNimbostratus
    Oct 23, 2012
    Sorry,

     

    Found the problem. Our design engineer had us disable NAT on the outbound pool earlier. Turns out our traffic was leaving with the 10. address still in the packet. After a webinar with support we finally found it, with the logging you guys provided of course.

     

     

    Thank you!
  • Todd_93078's avatar
    Todd_93078
    Icon for Nimbostratus rankNimbostratus
    Nov 07, 2012
    Well turns out I just broke the return traffic, now that we tried to use it for inbound calls. Is there a way to use a "nat 123.123.123.111" statement instead of snat? I was trying to keep this simple and I have no idea how to create a 1-to-1 IP rule with virtual servers yet.

     

     

    -Todd
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 07, 2012
    The return traffic? Inbound calls? Are you initiating connections from the server now too? Please clarify the traffic flow which does and doesn't work.
  • Todd_93078's avatar
    Todd_93078
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2012
    Sorry for the confusion,

     

    The outbound traffic (10.10.7.3 to "internet) now works fine with the SNAT and iRULE

     

    The inbound traffic (123.123.123.111 to device) does not work.

     

     

    Originally I was using a NAT because it was simple and all encompassing. Inbound calls to the teleconference unit worked fine. The outbound did not work, some of the time. Adding the iRULE to the outbound VS fixed the outbound traffic to always work but I had to remove the NAT to add the SNAT pool. Can't have the same IP in both places. At the moment I am trying to reproduce the NAT rule with VS instead. Is there a tech article somewhere that walks through a 1-1 IP based VS by any chance?
  • Todd_93078's avatar
    Todd_93078
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2012
    FYI,

     

    For anyone with the original problem. Here is my solution:

     

    SNAT pool for each Teleconference unit-

     

    Tele-Pool-1 - 123.123.123.111

     

    Tele-Pool-2 - 123.123.123.112

     

    Tele-Pool-3 - 123.123.123.113

     

    Tele-Pool-4 - 123.123.123.114

     

     

    Contents of the "Tele-Out" iRule

     

    when CLIENT_ACCEPTED {

     

    if { [IP::addr [IP::client_addr] equals 10.10.7.1 ] }{

     

    snat 123.123.123.111

     

    pool ISP1-Only

     

    } elseif { [IP::addr [IP::client_addr] equals 10.10.7.2 ] }{

     

    snat 123.123.123.112

     

    pool ISP1-Only

     

    } elseif { [IP::addr [IP::client_addr] equals 10.10.7.3 ] }{

     

    snat 123.123.123.113

     

    pool ISP1-Only

     

    } elseif { [IP::addr [IP::client_addr] equals 10.10.7.4 ] }{

     

    snat 123.123.123.114

     

    pool ISP1-Only

     

    } else {

     

    pool default_gateway_pool

     

    }

     

    }

     

     

    On the outbound "internets" VS I then added the "Tele-Out" iRule