iRule SNAT for multiple ISP

On 11.5.3, I tried a somewhat simplified version, and it works as I expect:

 

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals "192.168.0.0/16"] or [IP::addr [IP::client_addr] equals "10.11.201.0/24"] } {
        snat automap
        log local0. " -- YES -- "
    }
    else {
        log local0. " -- NO -- "
    }
}

 

when applied to a "Performance (L4)" Virtual Server with no other alterations. I also tried it with a "Forwarding (IP)" Virtual Server with a VIP of 0.0.0.0/0. It works in that case, too.

You may consider adding a logging statement at the head of the rule to ensure that it is firing, and if so, add additional logging to capture the relevant values (e.g., [IP::client_addr]).

Hi Nicolas,

as Vernon already said the code as is looks fine and some debug line would definately help to troubleshoot the problem.

Also keep in mind that possible route domain sufixes may break the functionality of [IP::addr]. You may have to strip these %id suffixes before comparing the client ip.

 

when CLIENT_ACCEPTED { 
    set cli_ip [substr [IP::client_addr] 0 "%"] 
    if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or 
         ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then {
        snat Z.Z.Z.Z pool default_gw_pool 
    } else {
        snatpool snat_pool-CLD_ALL 
        pool default_gw_pool 
    } 
}

 

Cheers, Kai

Hello, I tried to apply this iRules but it still doesn't work : when CLIENT_ACCEPTED { set cli_ip [substr [IP::client_addr] 0 "%"] if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then { snat Y.Y.Y.Y log local0. " -- SNAT 1 -- " } else { snatpool snat_pool-CLD_ALL pool default_gw_pool log local0. " -- SNAT ALL -- " } } In my log files (messages file) there is no log... In my tcpdump I still have the outbound traffic passing through the ISP1 and the return passing through the ISP2. Can you confirm that the iRule have to be bound to the default-VS 0.0.0.0 in L4? As you can see in this capture the iRule is not matching :

 

Do you have any other idea?

 

Hi Nicolas,

I can confirm that a "fastL4" TCP profile is able to handle CLIENT_ACCEPTED iRule events. And yes you have to make sure that the iRule is attached to your VS and that the VS is configured to handle the desired traffic.

Some additional thoughts on your iRule logic...

1.) I've never seen before that a Def_GW_Pool could be assigned using the [pool] command. So I'm not sure if your code is completely valid (beside the issue that the iRule is not triggering at all). See sol15582 for further information how Def_GW_Pools are implemented.

https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15582.html

2.) To overwrite a route for a specific connection you have to use [nexthop] command.

https://devcentral.f5.com/wiki/iRules.nexthop.ashx

The code I've in my mind would then look like that...

 

when CLIENT_ACCEPTED { 
    set cli_ip [substr [IP::client_addr] 0 "%"] 
    if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or 
         ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then {
         SNAT IP and GW for ISP2
        snat 1.1.1.10%1
        nexthop 1.1.1.1%1
    } else {
         Rely on VS configuration
    } 
}

 

Update: Updated the post to include additional thoughts...

Cheers, Kai

Hi,

 

Thank you for your advice. I confirm that I followed the SOL15582 to implement the default_gw_pool.

 

I remove the POOL line but the traffic still doesn't match with the iRule. Looking the statistics I noticed that the SNAT was matching with a configuration made in GUI (on the Adress Translation > SNAT List Menu). I delete this SNAT entry and I bound the iRule to the default VS but the traffic still doesn't match.

 

Here is the iRule :

 

when CLIENT_ACCEPTED { log local0. "SNAT MATCH" set cli_ip [substr [IP::client_addr] 0 "%"] if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then { snat Z.Z.Z.Z log local0. " -- SNAT 1-- " } else { snatpool snat_pool-CLD_ALL log local0. " -- SNAT 2-- " } }

 

Hi Nicolas,

 

if the iRule doesn't trigger at all, then something must be wrong on the Virtual Server or even on your network equipment in front of your LTM. To help you further post the detailed Virtual Server configuration and briefly describe the network integration of your LTM.

 

Cheers, Kai

 

Hi,

 

You can find my configuration there : https://dl.dropboxusercontent.com/s/alilgjfbupolezd/bigip.conf?dl=0 You can find the network map there : https://dl.dropboxusercontent.com/s/kanzks5adbcfynj/Schema_bigip.png?dl=0

 

Thank you for your help.

 

Hi Nicolas,

I guess I've found the problem. The default-VS needs to be changed to "Forwarding (IP)" mode, with Destination Address/Mask 0.0.0.0/0, global SNATPOOL settings for ISP2 and point the default route to Y.Y.Y.1. Delete the conditional SNAT rules and also the default_gw_pool.

Then attach the iRule below to overwrite SNAT and default route for the two additional networks to ISP1.

 

when CLIENT_ACCEPTED { 
    log local0. "VS Reached"
    if { ( [IP::addr [IP::client_addr] 10.32.1.192/26] ) or 
         ( [IP::addr [IP::client_addr] equals 10.32.2.0/26] ) } then {
        snat X.X.X.203
        nexthop X.X.X.201 
        log local0. " -- SNAT RAS -- "
    } else {
        log local0. " -- SNAT ALL -- " 
    } 
}

 

Cheers, Kai

Hi Kai,

 

I've simplified the configuration but in fact my final configuration is to have : ISP1 (X.X.X.X) for customer 1 (with 2 local networks) and ISP2 (Y.Y.Y.Y) & ISP3 (Z.Z.Z.Z) for other customers (with multiple networks)

 

So compared to your advice I think that this change the configuration right? If Yes can you help me to find the correct one?

 

Thank you a lot.

 

Hi Nicolas,

If you have to deal with multiple customes you may wanna take a look to the traffic-group feature. It will enable you to configure a virtual router for each customer. In this case each customer would have its own routing table and static SNAT settings. And no iRules needed then...

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_redundant_systems_config_11_0_0/6.html

If multiple traffic groups are not an option for you, then the outline technique of my last responce would remain nearly the same. Designate one customer as default route and SNAT and then overwrite the nexthop and SNAT based on different source addresses. The iRules would then look like this...

 

when CLIENT_ACCEPTED { 
    log local0. "VS Reached"
    if { ( [IP::addr [IP::client_addr] 10.32.1.192/26] ) or 
         ( [IP::addr [IP::client_addr] equals 10.32.2.0/26] ) } then {
        snat X.X.X.203
        nexthop X.X.X.201 
        log local0. " -- SNAT CUSTOMER2 -- "
    } elseif { ( [IP::addr [IP::client_addr] 10.32.3.192/26] ) or 
         ( [IP::addr [IP::client_addr] equals 10.32.4.0/26] ) } then {
        snat X.X.X.103
        nexthop X.X.X.101
        log local0. " -- SNAT CUSTOMER3 -- "
    } elseif { ( [IP::addr [IP::client_addr] 10.32.5.192/26] ) or 
         ( [IP::addr [IP::client_addr] equals 10.32.6.0/26] ) } then {
        snat X.X.X.13
        nexthop X.X.X.11
        log local0. " -- SNAT CUSTOMER4 -- "
    } else {
        log local0. " -- SNAT DEFAULT -- " 
    } 
}

 

Cheers, Kai