Forum Discussion

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Aug 01, 2016

Hi Waleed,

to support dynamic outbound SNAT (aka. IP-Mascarading) for your internal Clients, nothing more than a "IP Forwarding" Virtual Server bound to 0.0.0.0/0 and an iRule with certain [snat] commands is required.

To support multiple ISPs at the same time, you have to mix the [snat] command with the [nexthop] command to forward the traffic either to one or the other ISP (aka. dynamically changing the default gateway).

In addition to that I would recommend to not chain multiple [class match] commands in a row (each of them will add CPU overhead). Try to use a single datagroup containing the a.) internal subnets, b.) the SNAT IP and c.) the Def-GW of the ISP and then perform a single [class lookup] command to extract and parse this data.

 

ltm data-group internal DG_MultiISP_SNAT {
    records {
        192.168.0.0/24 {
                data "1.1.1.11 1.1.1.1"
            }
        192.168.1.0/24 {
                data "1.1.1.12 1.1.1.1"
            }
        192.168.2.0/24 {
                data "1.1.1.13 1.1.1.1"
            }
        192.168.3.0/24 {
                data "1.1.1.14 1.1.1.1"
            }
        192.168.4.0/24 {
                data "2.2.2.11 2.2.2.1"
            }
        192.168.5.0/24  {
                data "2.2.2.12 2.2.2.1"
            }
        192.168.6.0/24  {
                data "2.2.2.13 2.2.2.1"
            }
        192.168.7.0/24  {
                data "2.2.2.14 2.2.2.1" 
            } 
    }
    type ip
}

 

Note: The data format of the above datagroup is "snat_ip(space)nexthop_ip"

Then use the rather simple iRule below, to dynamically set the [snat] and [nexthop] values based on the extracted data group settings.

 

when CLIENT_ACCEPTED {
    if { not [set DG_MultiISP_SNAT_DATA [class lookup [IP::client_addr] equals DG_MultiISP_SNAT]] eq "" } then {
        log local0. "Source IP \"[lindex $DG_MultiISP_SNAT_DATA 0]\" using Gateway IP \"[lindex $DG_MultiISP_SNAT_DATA 1]\" for Client IP \"[IP::client_addr]\""
        snat [lindex $DG_MultiISP_SNAT_DATA 0]
        netxhop [lindex $DG_MultiISP_SNAT_DATA 1]
    } else {
         Client subnet not found in the datagroup. Using virtual server and route domain default settings to forward the packet.
    }
}

 

Note: Didn't verified the provided example code. But the chances should be above average, that the code will work for you without any changes. If not, then feel free to correct the left over typos... 😉

Cheers, Kai