Forum Discussion

Hawary's avatar
Hawary
Icon for Altostratus rankAltostratus
Jan 19, 2019

irule to load balance to specific ISP based on source IP

hi guys,

 

i have 2 ISP links and i'm doing outbound load balancing across the 2 links. i have 2 subnets of users, subnet 1 and subnet 2. I need that subnet 1 go through ISP 1 and subnet 2 go through ISP 2. in case of ISP 1 down, subnet 1 go through ISP 2 and subnet 2 stop going internet. the vice versa is not correct, i mean if ISP 2 down, subnet 2 will not have internet. i mean always subnet 1 have priority to go internet. i need irule to do this scenario.

 

application delivery
iRules
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jan 19, 2019

    Create 2 pools :

     

    • Pool_GW_ISP1

       

      • priority group activation : less than 1
      • ISP1_GW:0 priority 10
      • ISP2_GW:0 priority 1

    • Pool_GW_ISP2

       

      • priority group activation : less than 1
      • ISP2_GW:0 priority 10
      • ISP1_GW:0 priority 1

    create 2 VS

     

    • VS_FWD_OUT_SUBNET1

       

      • source : SUBNET1 (ex : 10.1.0.0/16)
      • destination : 0.0.0.0/0
      • service : any
      • translate address : disable
      • pool Pool_GW_ISP1
      • source address translation : automap

    • VS_FWD_OUT_SUBNET2

       

      • source : SUBNET2 (ex : 10.2.0.0/16)
      • destination : 0.0.0.0/0
      • service : any
      • translate address : disable
      • pool Pool_GW_ISP2
      • source address translation : automap
  • RaghavendraSY's avatar
    RaghavendraSY
    Icon for Altostratus rankAltostratus
    Jan 19, 2019

    First create a ISP pool. Based on source IP and port you can send traffic to specific pool.

     

    when CLIENT_ACCEPTED { if {[IP::addr [IP::client_addr] equals 10.x.x.x] or [IP::addr [IP::client_addr] equals 192.x.x.x]} { if { [TCP::local_port] == 443 } { pool ISP-POOL } else { reject } } else { reject } }

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 20, 2019

    Hi Hawary,

    you may use the iRule below on your 

    IP-Forwarding
    Virtual Server, to overwrite the SNAT and Nexthop-IP based on the availability of the Def-GW for ISP1.

    • If ISP1 is available it will route traffic from Network 1 to ISP1
    • If ISP1 is available it will route traffic from Network 2 to ISP2
    • If ISP1 is offline it will route traffic from Network 1 to ISP2
    • If ISP1 is offline it will reject traffic from Network 2

    Note: You don't have to care if ISP2 is offline - simply try to send traffic to ISP2 as gateway of last resort and see what happens. If ISP2 is down the traffic will be dropped anyway...

    when CLIENT_ACCEPTED { 
    if { [IP::addr [IP::client_addr] 10.10.10.0/24] } then {
         Section for Network 1
        if { [active_members GW_ISP_1_POOL] > 0 } then {
             ISP 1 is online. Use VS default settings and local routing table.
        } else {
             ISP 1 is offline. Setting SNAT IP and Nexthop (aka. routing table overwrite) to ISP2
            snat 222.222.222.10 ; Your IP for ISP2
            nexthop 222.222.222.1   ; Def-GW of ISP2
        }
    } elseif { [IP::addr [IP::client_addr] 10.20.20.0/24] } then {
         Section for Network 2
        if { [active_members GW_ISP_1_POOL] > 0 } then {
             ISP 1 is online. Setting SNAT IP and Nexthop (aka. routing table overwrite) to ISP2
            snat 222.222.222.10 ; Your IP for ISP2
            nexthop 222.222.222.1   ; Def-GW of ISP2
        } else {
             ISP 1 is offline. Reject access for Network 2.
            reject
        }
    } else {
         Undefined traffic will use VS default settings...
    } 
}

    Note: If you utilize the 

    IP-Forwarding
    Virtual Server for internal communication too, then define some additional exceptions for your internal destination IPs (e.g. RFC1918 IPs) at the top of the script, so that the 
    snat
    / 
    nexthop
    overwrites will have no effect on those connections.

    Cheers, Kai