Forum Discussion

kev_245_28249's avatar
kev_245_28249
Icon for Nimbostratus rankNimbostratus
Apr 22, 2011

Nexthop

Hi,

 

I am trying to configure the nexthop global cmd via an iRule inorder to send traffic to a particular gateway depending upon which vlan it hits.

 

In a simple vm lab I have one vlan 'Prod' with a server node of 10.20.0.111. The virtual server is addressed as 10.20.0.250. I have removed the default route on the Ltm and configured the global nexthop irule and applied it to the VIP. What seems to happen when i attempt to pass traffic is that the VIP holds on to the traffic. For eg, for an FTP I get a connected to 'vip ip'

 

 

(I have tried using the mac address and ip address of the destination server with the same results.

 

 

irule

 

when CLIENT_ACCEPTED {

 

nexthop Prod 00:0C:29:16:04:7B

 

}

 

 

or

 

 

when CLIENT_ACCEPTED {

 

nexthop Prod 10.20.0.111

 

}

 

  • this is what the escalation engineer tested.

     

     

    anyway, we are still waiting for confirmation from PD.

     

     

    ------------------------------

     

    the next hop mac address is onwed by 10.1.10.253 commented out now.

     

    if i remove irule from virtual, the traffic goes to link2 10.2.10.253.

     

     

    pool link-pool {

     

    members 10.1.10.253:http {}

     

    members 10.2.10.253:http {}

     

    }

     

    rule myrule {

     

    when CLIENT_ACCEPTED {

     

    log local0.info "hit!"

     

    nexthop link1 00:01:D7:3A:E1:C4

     

    }

     

    }

     

     

    virtual any_any {

     

    destination 10.4.10.100:http

     

    translate address disable

     

    translate service disable

     

    rule myrule

     

    pool link-pool

     

    }

     

    ------------------------------
  • I'm hoping to be able to set my next hop via the iRule and set my actual destination via the pool.

     

     

     

    pool Http_3rd_Party_Outbound {

     

    members 192.168.2.111:http {}

     

     

     

    rule next_hop_test {

     

    when CLIENT_ACCEPTED {

     

    nexthop 1381 00:09:0F:23:7F:C5

     

    log local0. "nexthop Vlan_1381_Pres_Inter 16x.8.xx.126"

     

     

    virtual SSH_Outbound_3rd_Party {

     

    translate address disable

     

    translate service disable

     

    snatpool Vip_snat_outbound

     

    pool SSH_3rd_Party_Outbound

     

    destination 16x.8.8x.120:ssh

     

    ip protocol tcp

     

    rules next_hop_test

     

    }

     

     

     

  • This is feedback from escalation.

     

     

    >If they try to change next hop router based to route to pool member over a gateway, then that won't work.

     

    >What nexthop does is not working as you expect.

     

     

    Addiitonally, he suggests we may try LB::reselect nexthop .

     

    LB::reselect Wiki

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/LB__reselect.html

     

     

    I have not had a chance to test it yet. I think I will be able to test this weekend.
  • Hi,

    in case you are using a node and a nexthop command in your iRule the order of the commands seems to matter.

    At least in TMOS v11.5.1HF8 it is required to set the node first and then to set the nexthop.

    I.e. as follows:
    when CLIENT_ACCEPTED {
         snat [IP::local_addr]
         node 10.131.131.62
         nexthop vlan_dmz 2:f5:f5:20:b0:2
    }
    

    In my clients scenario the node is locally attached to the BIG-IP but the request has to be forwarded through a locally attached firewall in another VLAN.

    This failed, if the nexthop was set before setting the node.

    In this case the nexthop command was simply ignored and the request forwarded directly to the locally attached node (firewall bypassed).

    Thanks, Stephan
  • Hi, making this topic alive again..

    Is this actually working for someone? I use very similar rule, just nexthop is defined on L3:

    when CLIENT_ACCEPTED {
      snat automap
      node 10.253.1.205
      nexthop v814_10.231.65.16_m29 10.231.65.17
    }
    

    VIP settings like this:

    ltm virtual testVIP {
        destination 10.34.26.20%80:any
        ip-protocol tcp
        mask 255.255.255.255
        partition test
        profiles {
            /Common/tcp-lan-optimized { }
        }
        rules {
            selectNode
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address disabled
        translate-port disabled
        vs-index 23
    }
    

    When client goes to 10.34.26.20 the connection is closed by LB and tcpdump shows a lot of SYN/RST traffic from LB to destination IP (63k packets last time). It looks like some internal loop. Client tested 1 connection using ftp.

    "Translate address" on VS level is disabled, otherwise the nexthop command does not work and client gets TCP RST "No route to host"

    I use 12.1.3 version.

    • Hi Zdenda, you are working with a routing domain (

      %80
      in your example)? Very likely it will be required to specify the nexthop including the routing domain information (not tested):

      when CLIENT_ACCEPTED {
        snat automap
        node 10.253.1.205%80
        nexthop v814_10.231.65.16_m29 10.231.65.17%80
      }
      

      This might have been the cause for the no route error and will allow you to enable the destination NAT as it will be required for proper further routing. Cheers, Stephan

    • Zdenda's avatar
      Zdenda
      Icon for Cirrus rankCirrus

      Tried that as well as full path of vlan /partition/vlan. Still the same.

       

      For me it looks that F5 does not support DNAT (change VIP IP to server IP in packet) and using nexthop command on the same VIP. (I noticed that issue on some older post here in devcentral using version 9.x, looks like F5 did not fix that yet)

       

  • Hi, making this topic alive again..

    Is this actually working for someone? I use very similar rule, just nexthop is defined on L3:

    when CLIENT_ACCEPTED {
      snat automap
      node 10.253.1.205
      nexthop v814_10.231.65.16_m29 10.231.65.17
    }
    

    VIP settings like this:

    ltm virtual testVIP {
        destination 10.34.26.20%80:any
        ip-protocol tcp
        mask 255.255.255.255
        partition test
        profiles {
            /Common/tcp-lan-optimized { }
        }
        rules {
            selectNode
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address disabled
        translate-port disabled
        vs-index 23
    }
    

    When client goes to 10.34.26.20 the connection is closed by LB and tcpdump shows a lot of SYN/RST traffic from LB to destination IP (63k packets last time). It looks like some internal loop. Client tested 1 connection using ftp.

    "Translate address" on VS level is disabled, otherwise the nexthop command does not work and client gets TCP RST "No route to host"

    I use 12.1.3 version.

    • StephanManthey's avatar
      StephanManthey
      Icon for MVP rankMVP

      Hi Zdenda, you are working with a routing domain (

      %80
      in your example)? Very likely it will be required to specify the nexthop including the routing domain information (not tested):

      when CLIENT_ACCEPTED {
        snat automap
        node 10.253.1.205%80
        nexthop v814_10.231.65.16_m29 10.231.65.17%80
      }
      

      This might have been the cause for the no route error and will allow you to enable the destination NAT as it will be required for proper further routing. Cheers, Stephan

    • Zdenda_101923's avatar
      Zdenda_101923
      Icon for Altocumulus rankAltocumulus

      Tried that as well as full path of vlan /partition/vlan. Still the same.

       

      For me it looks that F5 does not support DNAT (change VIP IP to server IP in packet) and using nexthop command on the same VIP. (I noticed that issue on some older post here in devcentral using version 9.x, looks like F5 did not fix that yet)