Forum Discussion

John_Chen_43562's avatar
John_Chen_43562
Icon for Nimbostratus rankNimbostratus
Aug 07, 2015

outbound traffic for specific url by using specific IP

The gateway of all my pool members is F5. I have SNAT and VS for outbound traffic. Therefore the outside world see the IP1 - which is set on my SNAT for my outbound traffic. I want the pool member go...
application delivery
availability
design
devops
iRules
LTM
Vernon_97235's avatar
Vernon_97235
Historic F5 Account
Aug 13, 2015

Firstly, I assume you are using SSL offloading. If so, you cannot use a "Performance (L4)" VS for this; clientssl requires a Standard VS. However, if you are using SSL offloading, and going to public locations (like www.yahoo.com) then you must use Proxy SSL or an SSL Forward Proxy with a set of wildcard certificates signed by a local CA trusted by the clients.

Anyhow, here is a configuration that should get you at least close to what you want. I am assuming that 10.10.212.200 is the default gateway for the BIG-IP:

 These are the two SNAT addresses you want, each in its own pool
ltm snatpool snat-pool-01 { members { 10.10.212.105 } }
ltm snatpool snat-pool-02 { members { 10.10.212.125 } }

 This is the pool to be used in the port 80 case.  It points to the BIG-IP's
 default gateway (10.10.212.200, in my setup)
ltm pool pool-gateway-01 {
    members {
        10.10.212.200:any {
            address 10.10.212.200
            session monitor-enabled
            state up
        }
    }
    monitor gateway_icmp 
}

 This is the iRule applied to the port 80 VS that selects the second SNAT IP
 if the host destination is www.yahoo.com
ltm rule rul-select-snat {
    when HTTP_REQUEST {
    if { [HTTP::host] eq "www.yahoo.com" } { 
        snatpool snat-pool-02
    }
}

 This is the wildcard VS.  You might as well make it a forwarding VS.
ltm virtual vs-forwarding {
    destination 0.0.0.0:any
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool snat-pool-01
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 5
}

 This is the port 80 wildcard address VS that is only used by
 the subset of hosts as you wish.  Notice that the default
 SNAT address is the same as the other VS (snat-pool-01).  The
 iRule selects the other snat address (snat-pool-02) if the
 particular host matches.
ltm virtual vs-http-01 {
    destination 0.0.0.0:http
    ip-protocol tcp
    mask any
    pool pool-gateway-01
    profiles {
        clientssl {
            context clientside
        }
        http { }
        mptcp-mobile-optimized { }
    }
    rules {
        rul-select-snat
    }
    source 10.100.8.0/22
    source-address-translation {
        pool snat-pool-01
        type snat
    }
    vlans {
        external
    }
    vlans-enabled
    vs-index 6
}
John_Chen_43562's avatar
John_Chen_43562
Icon for Nimbostratus rankNimbostratus
Aug 14, 2015
All the https traffic is for outbound from all pool members. Therefore, there is no SSL offloading. With "Performance (L4)" VS, how can I filter specific URL to different snat?