Hi, I tried to configure an iRule to SNAT specific LAN to a specific ISP (wan link). When I bind this iRule to my default VS (in fastL4) the iRule doesn't match when I generate traffic from my lan. I don't know if my iRule is good... : when CLIENT_ACCEPTED { set my_ip [IP::client_addr] if { [IP::addr [IP::client_addr] equals X.X.X.X/26] or [IP::addr [IP::client_addr] equals Y.Y.Y.Y/26]} {snat Z.Z.Z.Z pool default_gw_pool } else {snatpool snat_pool-CLD_ALL pool default_gw_pool } } Some have an idea?

On 11.5.3, I tried a somewhat simplified version, and it works as I expect: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals "192.168.0.0/16"] or [IP::addr [IP::client_addr] equals "10.11.201.0/24"] } { snat automap log local0. " -- YES -- " } else { log local0. " -- NO -- " } } when applied to a "Performance (L4)" Virtual Server with no other alterations. I also tried it with a "Forwarding (IP)" Virtual Server with a VIP of 0.0.0.0/0. It works in that case, too. You may consider adding a logging statement at the head of the rule to ensure that it is firing, and if so, add additional logging to capture the relevant values (e.g., [IP::client_addr]).

Hi Nicolas, as Vernon already said the code as is looks fine and some debug line would definately help to troubleshoot the problem. Also keep in mind that possible route domain sufixes may break the functionality of [IP::addr]. You may have to strip these %id suffixes before comparing the client ip. when CLIENT_ACCEPTED { set cli_ip [substr [IP::client_addr] 0 "%"] if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then { snat Z.Z.Z.Z pool default_gw_pool } else { snatpool snat_pool-CLD_ALL pool default_gw_pool } } Cheers, Kai

Hello, I tried to apply this iRules but it still doesn't work : when CLIENT_ACCEPTED { set cli_ip [substr [IP::client_addr] 0 "%"] if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then { snat Y.Y.Y.Y log local0. " -- SNAT 1 -- " } else { snatpool snat_pool-CLD_ALL pool default_gw_pool log local0. " -- SNAT ALL -- " } } In my log files (messages file) there is no log... In my tcpdump I still have the outbound traffic passing through the ISP1 and the return passing through the ISP2. Can you confirm that the iRule have to be bound to the default-VS 0.0.0.0 in L4? As you can see in this capture the iRule is not matching : Do you have any other idea?

Hi Nicolas, I can confirm that a "fastL4" TCP profile is able to handle CLIENT_ACCEPTED iRule events. And yes you have to make sure that the iRule is attached to your VS and that the VS is configured to handle the desired traffic. Some additional thoughts on your iRule logic... 1.) I've never seen before that a Def_GW_Pool could be assigned using the [pool] command. So I'm not sure if your code is completely valid (beside the issue that the iRule is not triggering at all). See sol15582 for further information how Def_GW_Pools are implemented. https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15582.html 2.) To overwrite a route for a specific connection you have to use [nexthop] command. https://devcentral.f5.com/wiki/iRules.nexthop.ashx The code I've in my mind would then look like that... when CLIENT_ACCEPTED { set cli_ip [substr [IP::client_addr] 0 "%"] if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then { SNAT IP and GW for ISP2 snat 1.1.1.10%1 nexthop 1.1.1.1%1 } else { Rely on VS configuration } } Update: Updated the post to include additional thoughts... Cheers, Kai

Hi, Thank you for your advice. I confirm that I followed the SOL15582 to implement the default_gw_pool. I remove the POOL line but the traffic still doesn't match with the iRule. Looking the statistics I noticed that the SNAT was matching with a configuration made in GUI (on the Adress Translation > SNAT List Menu). I delete this SNAT entry and I bound the iRule to the default VS but the traffic still doesn't match. Here is the iRule : when CLIENT_ACCEPTED { log local0. "SNAT MATCH" set cli_ip [substr [IP::client_addr] 0 "%"] if { ( [IP::addr $cli_ip equals X.X.X.X/26] ) or ( [IP::addr $cli_ip equals Y.Y.Y.Y/26] ) } then { snat Z.Z.Z.Z log local0. " -- SNAT 1-- " } else { snatpool snat_pool-CLD_ALL log local0. " -- SNAT 2-- " } }

iRule SNAT for multiple ISP

Nicolas_ROMERO_
Nimbostratus
Jan 12, 2016
Hi,

I applied the iRule. The problem is that the iRule is not matching with the traffic. I don't have the pattern "VS Reached" in my ltm log file.

Do you know how can I debug this problem?

When I look my tcpdump I still have a traffic passing from the LAN through the wrong ISP.
Kai_Wilke
MVP
Jan 12, 2016
Hi Nicolas,

did you applied the changes I've suggested a few post earlier?

"The default-VS needs to be changed to "Forwarding (IP)" mode, with Destination Address/Mask 0.0.0.0/0, global SNATPOOL settings for ISP2 and point the default route to Y.Y.Y.1. Delete the conditional SNAT rules and also the default_gw_pool"

Cheers, Kai
Nicolas_ROMERO_
Nimbostratus
Jan 28, 2016
Hi,

If I put the default-VS with Forwarding IP mode, I will not be able to load balance traffic through multiple links right? My final goal is to loadbalance traffic through multiple Links.

According to my problem I found something interesting. I understand why the iRule was not matching! There was a mistake on the VS_default configuration which had a Destination Adress 0.0.0.0 instead of 0.0.0.0/0 So now my default VS is matching. On the BIGIP I see a traffic from my LAN to internet but I don't have the return...
Stanislas_Piro2
Cumulonimbus
Jan 28, 2016
Hi,

you can create the VS with performance (Layer 4) mode and make sure the address translation and port translation are unchecked... (these options are unchecked if the destination is a network)

In this VS, you can define the pool default_gw_pool
Kai_Wilke
MVP
Jan 28, 2016
Hi Nicolas,

the previously provided iRule would in combination with an "Forwarding (IP)" virtual perfrom some sort of load balancing, where each customer-segment would use a different nexthop address and snat address (aka. using a different WAN-Link).

Cheers, Kai
Nicolas_ROMERO_
Nimbostratus
Jan 28, 2016
Okey thank you guys for those information.

I will test first the VS fastL4 with address translation and port translation disabled. I prefer this option to avoid iRules (that are more difficult to maintain). Then if it doesn't work I will try to use iRules. I give you a feedback ASAP.
Nicolas_ROMERO_
Nimbostratus
Jan 28, 2016
Hi Guys,

We are approaching the goal !

Using the FastL4 still doesn't work because as Kai explain, I have to configure different route for some specific LAN.

I switch the default VS to a Forwarding IP + iRule. It works with the LAN which have the iRule with next-hop but with others LAN which have the irule with the pool gateway I still have some timeouts because in the capture I see that the BIGIP still route some traffic through the incorrect Link.

I though that it was because the default VS have a pool which include the specific Link used by the iRule next-hop. I disble this link on the defautl pool and IT WORKS! I just would like to confirm with you if i'm right and if this is the correct configuration. To summerize : - VS_default in Forwarding IP with iRule (which route traffic through a specific next-hop for LAN1 and on the other hand a SNAT-pool for all others LAN) - Default_pool (bound to default_vs) : with two links (except the specific link for LAN1) - A SNAT_pool : to SNAT all LAN except the LAN1 - A SNAT : to SNAT the LAN1 on a specific Public_IP on the Link1 network.
- Kai_Wilke
  MVP
  Jan 28, 2016
  Hey Romeo. You can't have pools on a "Forwarding (IP)" virtual. You may use a pool for the default_gw on your route domain. But is this required? Note: I tend to not use any default_gw_pools but use HSRP/VRRP on the upstream routers instead... ;-) Cheers, Kai
- Nicolas_ROMERO_
  Nimbostratus
  Jan 28, 2016
  Hi, Okey, I remove the pool on the Default_VS. You're right, I have a default route with a default_gw_pool which have 2 routers from 2 different ISP. That's why I have to use a pool. I also optimize the configuration deleting the SNAT entry for LAN1 because the SNAT is performed by the iRule. So now i think that everything is OK !
- Kai_Wilke
  MVP
  Jan 28, 2016
  Glad to hear, that you've finally solved your Multi ISP / SNAT nightmare ;-)
Nicolas_ROMERO_
Nimbostratus
Jan 28, 2016
This is a very good news! I would like to thank you all for you advice and your involvement on my case.
- Kai_Wilke
  MVP
  Jan 28, 2016
  You're welcome! ;-)

Forum Discussion

iRule SNAT for multiple ISP

Recent Discussions

Is network access bypassing APM logon pages?

<apm_do_not_touch> in JS file failing</apm_do_not_touch>

Suddenly Can't access Login Box to F5 LTM Via SSH & GUI

LTM + GTM on same box

Application drop down menus does not work behind F5 APM Portal Access

Related Content

F5 LTM SNAT: only 1 outgoing connection, multiple internal clients

SNAT statistics and iRule for selecting SNAT IP

HTTP::redirect doesn't work for multiple conditions, URL redirect doesn't work using iRule

SNAT / X-FORWARD-FOR breaks HTTPS connection

SNAT Pool Subent entry