Forum Discussion
kev_245_28249
Nimbostratus
NimbostratusNexthop
Hi,
I am trying to configure the nexthop global cmd via an iRule inorder to send traffic to a particular gateway depending upon which vlan it hits.
In a simple vm lab I have one vlan 'Prod' with a server node of 10.20.0.111. The virtual server is addressed as 10.20.0.250. I have removed the default route on the Ltm and configured the global nexthop irule and applied it to the VIP. What seems to happen when i attempt to pass traffic is that the VIP holds on to the traffic. For eg, for an FTP I get a connected to 'vip ip'
(I have tried using the mac address and ip address of the destination server with the same results.
irule
when CLIENT_ACCEPTED {
nexthop Prod 00:0C:29:16:04:7B
}
or
when CLIENT_ACCEPTED {
nexthop Prod 10.20.0.111
}
nitassEmployee
this is what the escalation engineer tested.
anyway, we are still waiting for confirmation from PD.
------------------------------
the next hop mac address is onwed by 10.1.10.253 commented out now.
if i remove irule from virtual, the traffic goes to link2 10.2.10.253.
pool link-pool {
members 10.1.10.253:http {}
members 10.2.10.253:http {}
}
rule myrule {
when CLIENT_ACCEPTED {
log local0.info "hit!"
nexthop link1 00:01:D7:3A:E1:C4
}
}
virtual any_any {
destination 10.4.10.100:http
translate address disable
translate service disable
rule myrule
pool link-pool
}
------------------------------
kev_245_28249I'm hoping to be able to set my next hop via the iRule and set my actual destination via the pool.
pool Http_3rd_Party_Outbound {
members 192.168.2.111:http {}
rule next_hop_test {
when CLIENT_ACCEPTED {
nexthop 1381 00:09:0F:23:7F:C5
log local0. "nexthop Vlan_1381_Pres_Inter 16x.8.xx.126"
virtual SSH_Outbound_3rd_Party {
translate address disable
translate service disable
snatpool Vip_snat_outbound
pool SSH_3rd_Party_Outbound
destination 16x.8.8x.120:ssh
ip protocol tcp
rules next_hop_test
}- kev_245_28249Any Update?
- nitassThis is feedback from escalation.
>If they try to change next hop router based to route to pool member over a gateway, then that won't work.
>What nexthop does is not working as you expect.
Addiitonally, he suggests we may try LB::reselect nexthop .
LB::reselect Wiki
http://devcentral.f5.com/wiki/default.aspx/iRules/LB__reselect.html
I have not had a chance to test it yet. I think I will be able to test this weekend. - nitassbtw, i thought u were John.
Hi,
in case you are using a node and a nexthop command in your iRule the order of the commands seems to matter. At least in TMOS v11.5.1HF8 it is required to set the node first and then to set the nexthop. I.e. as follows:when CLIENT_ACCEPTED { snat [IP::local_addr] node 10.131.131.62 nexthop vlan_dmz 2:f5:f5:20:b0:2 }In my clients scenario the node is locally attached to the BIG-IP but the request has to be forwarded through a locally attached firewall in another VLAN.
This failed, if the nexthop was set before setting the node. In this case the nexthop command was simply ignored and the request forwarded directly to the locally attached node (firewall bypassed). Thanks, Stephan
ZdendaCirrus
Hi, making this topic alive again..
Is this actually working for someone? I use very similar rule, just nexthop is defined on L3:
when CLIENT_ACCEPTED { snat automap node 10.253.1.205 nexthop v814_10.231.65.16_m29 10.231.65.17 }VIP settings like this:
ltm virtual testVIP { destination 10.34.26.20%80:any ip-protocol tcp mask 255.255.255.255 partition test profiles { /Common/tcp-lan-optimized { } } rules { selectNode } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vs-index 23 }When client goes to 10.34.26.20 the connection is closed by LB and tcpdump shows a lot of SYN/RST traffic from LB to destination IP (63k packets last time). It looks like some internal loop. Client tested 1 connection using ftp.
"Translate address" on VS level is disabled, otherwise the nexthop command does not work and client gets TCP RST "No route to host"
I use 12.1.3 version.
Hi Zdenda, you are working with a routing domain (
in your example)? Very likely it will be required to specify the nexthop including the routing domain information (not tested):%80when CLIENT_ACCEPTED { snat automap node 10.253.1.205%80 nexthop v814_10.231.65.16_m29 10.231.65.17%80 }This might have been the cause for the no route error and will allow you to enable the destination NAT as it will be required for proper further routing. Cheers, Stephan
- Zdenda
Tried that as well as full path of vlan /partition/vlan. Still the same.
For me it looks that F5 does not support DNAT (change VIP IP to server IP in packet) and using nexthop command on the same VIP. (I noticed that issue on some older post here in devcentral using version 9.x, looks like F5 did not fix that yet)
Zdenda_101923Altocumulus
Hi, making this topic alive again..
Is this actually working for someone? I use very similar rule, just nexthop is defined on L3:
when CLIENT_ACCEPTED { snat automap node 10.253.1.205 nexthop v814_10.231.65.16_m29 10.231.65.17 }VIP settings like this:
ltm virtual testVIP { destination 10.34.26.20%80:any ip-protocol tcp mask 255.255.255.255 partition test profiles { /Common/tcp-lan-optimized { } } rules { selectNode } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vs-index 23 }When client goes to 10.34.26.20 the connection is closed by LB and tcpdump shows a lot of SYN/RST traffic from LB to destination IP (63k packets last time). It looks like some internal loop. Client tested 1 connection using ftp.
"Translate address" on VS level is disabled, otherwise the nexthop command does not work and client gets TCP RST "No route to host"
I use 12.1.3 version.
Hi Zdenda, you are working with a routing domain (
in your example)? Very likely it will be required to specify the nexthop including the routing domain information (not tested):%80when CLIENT_ACCEPTED { snat automap node 10.253.1.205%80 nexthop v814_10.231.65.16_m29 10.231.65.17%80 }This might have been the cause for the no route error and will allow you to enable the destination NAT as it will be required for proper further routing. Cheers, Stephan
- Zdenda_101923
Tried that as well as full path of vlan /partition/vlan. Still the same.
For me it looks that F5 does not support DNAT (change VIP IP to server IP in packet) and using nexthop command on the same VIP. (I noticed that issue on some older post here in devcentral using version 9.x, looks like F5 did not fix that yet)
