Outbound routing based upon source IP

Thanks for this post, I got trick from your thoughts.

 

 

 

Just clarified, to implement my situation:

 

 

1. most internal host(client) should routed to external network, where external network protected by a firewall.

 

2. some specific internal host should snated based on it's source ip and destination ip and tcp dest port.

 

3. since other service should not do snat for this specific internal host, so global snat should not applied on this internal host.

 

 

could I realize such snat irule on 0.0.0.0/0 forwarding pool?

 

 

BTW,

 

my bigip version is 9.1.2 40.2, but i cannot find the address translation and port translation checkbox on wildcard ip forwarding pool, and i found version is very sensitive for bigip device.

 

 

-Grei

Posted By rodrigo.ev on 10/19/2006 2:17 PM

I'd like to propose another scenario we got in a customer:

Suppose we have the Wildcard Virtual Server (0.0.0.0:0) pointed to a Default Gateway Pool with my two ISP routers (200.1.0.1 and 200.2.0.1).

I want the outbound connection for specific internal servers to use another IP other than SelfIP/SNAT Automap (let's say Static SNAT Addresses 200.1.0.10 and 200.2.0.10).

With the iRule described above I can get this result, but the destination router will be selected by the SNAT, not leveraging the router/link status in a Link Controller Box.

The best would be to let the pool select the better router based on its metrics and then execute the iRule to SNAT to the proper static address.

class class_static_snat_servers  {
   host 10.0.0.10
   host 10.0.0.11
}
class class_static_snat_gateways {
"200.1.0.1 200.1.0.10"
"200.2.0.1 200.2.0.10"
}
when CLIENT_ACCEPTED {
  set static_snat_server [IP::client_addr]
}
when LB_SELECTED {
  if {$::static_snat_server eq $::class_static_snat_servers]} {
    set selected_gateway [findclass [LB::server addr] $::class_static_snat_gateways " "]
    if { $selected_gateway ne "" } {
      snat $selected_gateway
    }
  }
}

Or, in a short way:

when LB_SELECTED {
  if {[matchclass [IP::client_addr] eq $::class_static_snat_servers]} {
    set my_gw [findclass [LB::server addr] $::class_static_snat_gateways " "]
    if { $my_gw ne "" } {
      snat $my_gw
    }
  }
}

if i have many internal servers , i want use the networks instead of host IPs, every networks use a different snat ip ,can i build the class like this???

class class_static_snat_servers {

network 10.0.0.0 mask 255.255.255.0

network 10.0.1.0 mask 255.255.255.0

or

class class_static_snat_servers {

"10.0.0.0/24 200.1.0.10"

"10.0.1.0/24 200.1.0.11"

}

Hi,

 

 

If you define an SNAT pool an associate it with a wildcard routing VS, the BIG-IP will automatically use the SNAT pool member which belongs to the same IP subnet that the selected outgoing router. We've already tried it and it works properly.

 

 

However, if you already have an SNAT Automap attached to the wildcard VS, you'll have to define an iRule based on client IP addresses to assign the correct SNAT pool, but this is an upgrade over previous implementations since the BIG-IP selects the outgoing router and then applies SNAT, not the other way around.

 

 

BR

Thank you for your help，I don't wanna use too many "if" or "elesif" in ruels , can i use the "classe".

 

 

rule outbound-snat {

 

 

when CLIENT_ACCEPTED {

 

if { [ matchclass [IP::local_addr] equals $::ISP1_ip ] } {

 

pool ISP1_GW_pool

 

}

 

elseif { [ matchclass [IP::local_addr] equals $::ISP2_IP ] } {

 

pool ISP2_GW_pool

 

}

 

else {

 

pool default_gateway_pool

 

}

 

}

 

when LB_SELECTED {

 

if { [[LB::server addr] equals ISP1_GW] } {

 

if { [[IP::client_addr] equals 172.16.1.0/24] } {

 

snat 200.1.0.10

 

}

 

elseif { [[IP::client_addr] equals 172.16.2.0/24] } {

 

snat 200.1.0.11

 

}

 

elseif { [[IP::client_addr] equals 172.16.3.0/16] } {

 

snat 200.1.0.12

 

}

 

.........

 

........

 

 

}

 

else {

 

snat automap

 

}

 

}

 

 

 

but i have so many networks need to snat and for some reason i can't change it . (ie : 172.16.1.0/24 must ues 200.1.0.11 ; 172.16.2.0/24 must 200.1.0.12),if I use following rules, does it work?

 

 

class snat {

 

"172.16.1.0/24 200.1.0.10"

 

"172.16.2.0/24 200.1.0.11"

 

"172.16.3.0/24 200.1.0.12"

 

.....

 

.....

 

 

}

 

 

rule outbound-snat {

 

 

when CLIENT_ACCEPTED {

 

if { [ matchclass [IP::local_addr] equals $::ISP1_ip ] } {

 

pool ISP1_GW_pool

 

}

 

elseif { [ matchclass [IP::local_addr] equals $::ISP2_IP ] } {

 

pool ISP2_GW_pool

 

}

 

else {

 

pool default_gateway_pool

 

}

 

}

 

when LB_SELECTED {

 

if { [[LB::server addr] equals ISP1_GW] } {

 

set my_snat [ findclass [IP::client_addr] $::snat " " ]}

 

if { $my_snat ne "" } {

 

snat $my_snat

 

}

 

else { snat automap}

 

}

 

}

 

 

 

 

Hi Guys,

 

I am also new on F5. I would to get some advice from the F5 Gurus. Below is the situation I am in.

 

I have an LTM which is connected to a Switch (TRUNK), I have allowed already the 2 VLANs for my 2 VIPs (VLAN A - VIP1 and VLAN B - VIP2). the GWs for the respective VLANs are also configured on the switch. I have created the self-IPs for each VLANs as well.

 

When a user access 1 VIP (VIP1) traffic will SNATed to VIP1.9 and should forward to VIP1.1(GW) and same goes for VIP2 (will be SNATed to VIP2.9 and should forward traffic to VIP2.1(GW).

 

Please help me on this as I can't any solution on the internet for this. many thanks in advance!