For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Heidi_35827's avatar
Heidi_35827
Icon for Nimbostratus rankNimbostratus
Jun 05, 2014

iRule for using SNAT and Next-Hop for specific pool member only

I have a unique situation that I believe could be solved with an iRule, but I need some help.

 

We have two DMZ's - Production and DR. Each DMZ has an F5 LTM. In each DMZ we are setting up Google Proxy appliances. What is unique is that we want the failover to be as seemless as possible in the event of an appliance failure. Our original idea was to use Priority Group Activation and put both the Prod Google Appliance and the DR Google Appliance (one in each DMZ), in each pool for the Google Search VIP's (DR and Prod). The local appliance has the LTM as it's default gateway, so it doesn't require a SNAT. The remote appliance, of course, does not and will require a SNAT. Also we need to tell the F5 where to send the traffic for the next hop if the remote appliance is chosen in the pool.

 

We want to apply a SNAT and directions for the next-hop, if the remote appliance is chosen in the pool. Can anyone offer any guidance in writting this iRule? Are we approaching this with the right idea, is an iRule the right way to solve this? Any help appreciated.

 

application delivery
devops
iRules

2 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 05, 2014

    you can enable/disable snat after server is selected in LB_SELECTED.

    e.g.

     floating self ip (snat automap)

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net self 200.200.200.14/24
net self 200.200.200.14/24 {
    address 200.200.200.14/24
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan internal
}

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 41
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
        200.200.200.111:80 {
            address 200.200.200.111
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when LB_SELECTED {
  switch [LB::server addr] {
    200.200.200.101 { snat automap }
    default { snat none }
  }
}
when SERVER_CONNECTED {
  log local0. "[IP::local_addr]:[TCP::local_port] > [IP::remote_addr]:[TCP::remote_port]"
}
}

 test

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Jun  5 07:56:09 ve11a info tmm1[9801]: Rule /Common/qux SERVER_CONNECTED: 200.200.200.14:44267 > 200.200.200.101:80
Jun  5 07:56:11 ve11a info tmm[9801]: Rule /Common/qux SERVER_CONNECTED: 172.28.24.1:44268 > 200.200.200.111:80
  • Heidi_35827's avatar
    Heidi_35827
    Icon for Nimbostratus rankNimbostratus
    Jun 05, 2014

    Thank you! We may have solved the next-hop issue with a static route, but still looking to do the SNAT only on the one node. Will use the LB_SELECTED idea a go and let you know.