Load Balancing over two links

I think he is saying that his one virtual server (address: *, port: *) is acting as the default gateway for his entire network. He cant create an additional wildcard VS. but I dont think a new VS would change anything, anyways, but if it could, then he could still route traffic from the wildcard one to another via "virtual" command in an iRule.

 

 

What you need is to set the next hop of the traffic and I only see one command related to this routing business. so if iRules could do it, it would have to be using that command.

 

 

Is this GTM standalone device? What is the default gateway of the GTM? What would happen if you set it to a pool of two ISP routers? did you look into the LinkControler module? Did you check with your network team if they can implement your needs upstream, with policy routing?

Ok Let me explain it again... as GTM is the perimeter device so all the NAT's are transferred to the GTM device how it's configured is I have a wild card Virtual server 0.0.0.0/* performance layer4 it has a snat pool and the Irule. The Irule catches the traffic from a particular Private IP and uses the SNAT pool to map it to the particular public IP address using the configured SNAT pool.

 

Now if I have to make another wild card virtual server then I have two similar things and as per my understanding the more specific VS gets the preference over the more General VS. So wht my understanding says is that the existing irule that I have should only put the traffic of one of the proxy on one of the ISP and if that fails it should go to the next one.

 

I don't need to disturb the whole of the traffic going out from GTM to the ISP links I just need to handle the traffic for the proxy servers. That is the reason the next hop is not an answer for my query i think or I am not able to understand how I will make it work for proxies not the whole of the traffic.

 

This GTM is in redundant mode n the default gateway is a pool that contains the router IP.

Thanks for that. So, assuming we don't create any more Virtual Servers, I don't see why you couldn't create two new pools as I suggested before with priority group activation setup, a different ISP router or whatever configured as the higher priority member, then in your iRule, use an if statement to detect if the source is a proxy, if it is, send the traffic to one or the other of the new pools depending on which proxy. Is there a reason this wouldn't work? Is there no way to specifically send traffic to one ISP or the other based on IP address?

What you are saying will impact the whole of the traffic going out through GTM via the "wild card VS"...Now what I am understanding from your explanation is that I will make the "default_gateway pool" and set the "priority group activation" every thing is good. Now when This pool is being referenced by the "Wild card virtual server" this priority group activation behavior will apply to all the traffic .. where as I want only the proxy server out going traffic to be impacted with this. Secondly I have to have two pool , the first pool will have ISP1 IP on priority and the other will have ISP2 IP on priority. and my VS can reference only one pool at a time so how should i do this

 

 

For the above explanation correct me if i have undrstood your point as wrong.

 

 

For your second point regarding the iRule . The current irule I have only finds out the Private IP to Public IP mapping further to this to let the irule reference a particular pool in case the private IP is the proxy IP address this is the part which I am asking how can I achieve this can someone help me in writing this irule.

 

 

Regards,

No, you don't change the virtual server configuration. You create the new pools but don't assign them to anything, you'll use the irule assigned to the virtual server to direct traffic to each pool, but only if the source is a proxy. I'll post an attempt at this shortly.

OK, so I've no idea what the current iRule looks like but you need something like this which will do it's thing before any SNAT etc. I'm not an iRules expert so forgive me if the syntax/structure is slightly wrong;

 

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::client_addr] equals x.x.x.x] } { << proxy 1

 

pool pga_isp1_pool < elseif { [IP::addr [IP::client_addr] equals x.x.x.x] } << proxy 2

 

pool pga_isp2_pool < }

 

}

am not sure "pool" command would do "routing"... you would need "nexthop" no?

Using nexthop would require you to code some sort of check to make sure the next hop is actually available. Using a pool is much better and results in automatic failover to the other link. The pool command does exactly that. I wouldn't call it routing but it'll send the traffic to the pool you specify and I guess the pool configuration determines the routing as it were.

 

 

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/130/iRules-101--05--Selecting-Pools-Pool-Members-and-Nodes.aspx

Hi,

The iRule i currently have looks like this

when CLIENT_ACCEPTED {
if {[class match [IP::client_addr] equals Snat_pool]} {
                snatpool [class match -value [IP::client_addr] equals Snat_pool]
        }
}
 

This irule is applied on the wildcard VS so it catches the out going traffic and map a particular private IP to a particular public IP from the sna_pool.

Now the Irule you have provided above seems perfectly logical. So what I may do now is that I will remove the proxy IP's from the SNAT and I will use the one u have shown for the proxy IP's m i correct?

No reason to remove the proxies from your iRule unless you can't be sure of what address they will get. I'd do it like this but please note I'm not too hot with iRules just yet;

when CLIENT_ACCEPTED {
if {[class match [IP::client_addr] equals Snat_pool]} {
                snatpool [class match -value [IP::client_addr] equals Snat_pool]
                        }
if { [IP::addr [IP::client_addr] equals x.x.x.x] } { << proxy 1
pool pga_isp1_pool }
elseif { [IP::addr [IP::client_addr] equals x.x.x.x] } { << proxy 2
pool pga_isp2_pool }
}

You'd have to test to see if the original or SNAT source IP matches.