Forum Discussion

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Aug 01, 2016

I would not use an iRule at all. It seems unnecessary. Try to take advantage of Source IP field in the Virtual Server configuration settings.

 

  1. First, create a working configuration for one ISP, refrain from using any iRules and stick to Virtual Server settings (SNAT pool, Default Pool) . Observing that you have a large number of data groups to compare against (ISP2), it might be best to create that default configuration for ISP2 users. (IP Source setting: 0.0.0.0/0)
  2. Create a second Virtual Server with the same Destination IP but different Source IP to cover for ISP1 users. Create more Virtual Servers as needed if you have more than one Source IP subnets to compare against. (IP Source setting: yourSubnet1, yourSubnet2...)

Incoming connections will be matched based on the closest-match logic. So if there's a better match to client's IP address than 0.0.0.0/0, a dedicated VS for ISP1 user will get the connection.

 

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Aug 01, 2016

    Hi Hannes, (long time no reading 😉

    yeah, it would be possible to support this scenario by deploying multiple IP-Forwarding virtual servers (e.g. Mask:192.168.0.0/24 and Mask:192.168.1.0/24) without any iRules. But doing so will most likely also require you to setup different route domains to be able to forward the traffic to the independent ISPs...

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_route_domains.html

    I guess using a unified Virtual Server (aka. 0.0.0.0/0) with a single iRule attached to control [snat] and [nexthop] is far less complicated then...

     

    Cheers, Kai

     

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Aug 01, 2016

    I think he probably already has a direct connection to both ISP uplinks covered by SelfIPs. If that's the case, there's no extra work with route domains. It might indeed be better to use one Virtual Server with default settings derived for ISP2 users and a single iRule attached to it which covers the fewer exceptions that apply to ISP1 users. It really depends on how many of those 0.0.0.0/0 Virtuals are needed to get away without iRules. Nevertheless, covering all user-cases as exceptions in an iRule just because it's possible is a no-go!

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Aug 01, 2016

    Using SelfIPs for every ISP wouldn't be sufficient to dynamically flip the nexthop's (aka. the different ISPs Gateways) accordingly to which Virtual Server or SNAT IP was choosen. This would require either certains PBRs (Policy Based Routings) in front of the F5, independent Route-Domains with unique Routing-Tables at the F5 level or an rather simple iRule using the [nexthop] command to dynamically flip beween the ISPs Gateways...

     

    Cheers, Kai