For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_Kelsey_'s avatar
Michael_Kelsey_
Icon for Nimbostratus rankNimbostratus
Sep 18, 2007

LTM Multiple Default Routes?

I wish to establish multiple default routes in more or less a virtual router perspective. I have four ports on a LTM (C62a, running BigIP 9.4.0) partitioned into two private networks and two public n...
config
design
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Sep 22, 2007
Hi Michael --

OK, I think I get what you're going for now.

And a picture being worth a thousand words...
             I
             /\
            /  \
           /    \
   ---------    ---------
   12.1.37.1    12.1.39.1
   ---------    ---------
        |          |
        |          |
  ------------------------
  |         LTM          |
  ------------------------
       |             |   
 192.168.37.x    192.168.39.x
 nats out to      nats out to
 12.1.37.x          12.1.39.x

& you want to ensure outbound traffic from 192.168's are routed out the corresponding gateway?

I don't think a default gateway pool would choose the more local of the 2 addresses for each connection, but you could try that first.

If that doesn't do it, then create this iRule:

when CLIENT_ACCEPTED {
  set failed 0
  if {[IP::addr [IP::client_addr] equals 192.168.37.0/24]}{
    node 12.1.37.1
  } elseif {[IP::addr [IP::client_addr] equals 192.168.39.0/24]}{
    node 12.1.39.1
  }
}
when LB_FAILED {
  if {$failed == 0}{
    if {[IP::addr [IP::client_addr] equals 192.168.37.0/24]}{
      log local0. ".37. gateway not responding, trying .39."
      node 12.1.39.1
    } elseif {[IP::addr [IP::client_addr] equals 192.168.39.0/24]}{
      log local0. ".39. gateway not responding, trying .37."
      node 12.1.37.1
    }
    set failed 1
  } else {
    discard
    log local0. "both gateways down, can't forward, discarding ([IP::client_addr]:[TCP::client_port])"
  }
}

Configure a wildcard forwarding virtual server (0.0.0.0:0, mask 0.0.0.0, type Forwarding(IP), Proto=All, enabled only on the 2 server-facing vlans) and apply the above iRule to it.

The rule will choose the correct gateway, choose the other if no response, and silently drop the connection if both are down, logging the event in the ltm log to assist in troubleshooting. (Note: You can use only the CLIENT_ACCEPTED portion of the iRule if you don't want to fall back to the other gateway.)

The NATs will take place on egress as configured.

I didn't push any traffic through the rule, but it passed a syntax check applied to a forwarding virtual server.

HTH, and I'd be very interested to hear how that works out for you.

/deb