The gateway of all my pool members is F5. I have SNAT and VS for outbound traffic. Therefore the outside world see the IP1 - which is set on my SNAT for my outbound traffic. I want the pool member go to some specific URL such as www.yahoo.com. The outside world will see another IP2 instead of IP1. Do we have some irule that can achieve my goal?

You would need a virtual server performing transparent http proxying... I dont think it's simple! If you can configure you nodes to use an HTTP proxy, then you could use a VIP+iRule that implement HTTP proxy. and which then would apply your logic to SNATing... I think. Mohamed.

If you have a wildcard forwarding Virtual Server (that is, listening on 0.0.0.0:0), you may also create a wildcard port 80 VS (that is, listening on 0.0.0.0:80), the add the http profile and the following iRule: when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "www.yahoo.com" } { snat 5.6.7.8 } } Change 5.6.7.8 to the appropriate IP (or use a SNAT pool and the snatpool command. Assign your default SNAT (either AutoMap or the appropriate SNAT pool) from your wildcard forwarding VS to the new port 80 VS. That way, SNAT IP1 will be used for all traffic except that bound for www.yahoo.com. Make sure that both Virtual Servers are bound to only the VLAN from which your pool member traffic originates. If you want to intercept SSL traffic, that is much trickier, because you would need to stand up an SSL forward proxy and the pool members would need to be provided a trusted internal signing certificate which signs for www.yahoo.com. It absolutely can be done, but is, as Mohamed says, not simple.

Oh, and consider using a Local Traffic Policy instead, if you are running 11.4 or higher: SOL15085: Overview of the Local Traffic Policies feature You would still create the second (port 80 only) VS, but all of the logic above can be accomplished using a Local Traffic Policy attached to that second VS.

That virtual would SNAT to some IP, and then send traffic where?

outbound traffic for specific url by using specific IP

19 Replies

John_Chen_43562
Nimbostratus
Aug 13, 2015
Ok...I get it works but not exactly what I want. I still want to know whether I can get help from here.

Here is what I have done but only for https traffic. I have two VS. VS1 - all outbound traffic for all pool members by using IP1 on snat1. VS2 - all outbound https traffic for all pool members by using IP2 on snat2. All pool member are using F5 to be the default gateway.

VS1 setup as below.

VS type - performance layer4.
Source - 0.0.0.0/0.
Destination - network - 0.0.0.0/0.0.0.0 and all ports.
snat - using snat1.
no pool members.

VS2 set up as below.

VS type - performance layer4.
source - 10.100.8.0/22 - this is my DMZ where all pool members are.
Destination - network - 0.0.0.0/0.0.0.0 and port - 443 .
snat - using snat2.
no pool members.

Therefore, all https outbound traffic from pool members are using snat2 - IP2. Others outbound traffic from pool members are using snat1 - IP1.

I want to know how to set up ONLY specific URL like https://www.yahoo.com outbound traffic by using snat2 and the others are using snat1 (including others URL https).

VernonWells

Employee

Aug 13, 2015

Firstly, I assume you are using SSL offloading. If so, you cannot use a "Performance (L4)" VS for this; clientssl requires a Standard VS. However, if you are using SSL offloading, and going to public locations (like www.yahoo.com) then you must use Proxy SSL or an SSL Forward Proxy with a set of wildcard certificates signed by a local CA trusted by the clients.

Anyhow, here is a configuration that should get you at least close to what you want. I am assuming that 10.10.212.200 is the default gateway for the BIG-IP:

 These are the two SNAT addresses you want, each in its own pool
ltm snatpool snat-pool-01 { members { 10.10.212.105 } }
ltm snatpool snat-pool-02 { members { 10.10.212.125 } }

 This is the pool to be used in the port 80 case.  It points to the BIG-IP's
 default gateway (10.10.212.200, in my setup)
ltm pool pool-gateway-01 {
    members {
        10.10.212.200:any {
            address 10.10.212.200
            session monitor-enabled
            state up
        }
    }
    monitor gateway_icmp 
}

 This is the iRule applied to the port 80 VS that selects the second SNAT IP
 if the host destination is www.yahoo.com
ltm rule rul-select-snat {
    when HTTP_REQUEST {
    if { [HTTP::host] eq "www.yahoo.com" } { 
        snatpool snat-pool-02
    }
}

 This is the wildcard VS.  You might as well make it a forwarding VS.
ltm virtual vs-forwarding {
    destination 0.0.0.0:any
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool snat-pool-01
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 5
}

 This is the port 80 wildcard address VS that is only used by
 the subset of hosts as you wish.  Notice that the default
 SNAT address is the same as the other VS (snat-pool-01).  The
 iRule selects the other snat address (snat-pool-02) if the
 particular host matches.
ltm virtual vs-http-01 {
    destination 0.0.0.0:http
    ip-protocol tcp
    mask any
    pool pool-gateway-01
    profiles {
        clientssl {
            context clientside
        }
        http { }
        mptcp-mobile-optimized { }
    }
    rules {
        rul-select-snat
    }
    source 10.100.8.0/22
    source-address-translation {
        pool snat-pool-01
        type snat
    }
    vlans {
        external
    }
    vlans-enabled
    vs-index 6
}

John_Chen_43562
Nimbostratus
Aug 14, 2015
All the https traffic is for outbound from all pool members. Therefore, there is no SSL offloading. With "Performance (L4)" VS, how can I filter specific URL to different snat?

Vernon_97235

Historic F5 Account

Aug 13, 2015

Anyhow, here is a configuration that should get you at least close to what you want. I am assuming that 10.10.212.200 is the default gateway for the BIG-IP:

 These are the two SNAT addresses you want, each in its own pool
ltm snatpool snat-pool-01 { members { 10.10.212.105 } }
ltm snatpool snat-pool-02 { members { 10.10.212.125 } }

 This is the pool to be used in the port 80 case.  It points to the BIG-IP's
 default gateway (10.10.212.200, in my setup)
ltm pool pool-gateway-01 {
    members {
        10.10.212.200:any {
            address 10.10.212.200
            session monitor-enabled
            state up
        }
    }
    monitor gateway_icmp 
}

 This is the iRule applied to the port 80 VS that selects the second SNAT IP
 if the host destination is www.yahoo.com
ltm rule rul-select-snat {
    when HTTP_REQUEST {
    if { [HTTP::host] eq "www.yahoo.com" } { 
        snatpool snat-pool-02
    }
}

 This is the wildcard VS.  You might as well make it a forwarding VS.
ltm virtual vs-forwarding {
    destination 0.0.0.0:any
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool snat-pool-01
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 5
}

 This is the port 80 wildcard address VS that is only used by
 the subset of hosts as you wish.  Notice that the default
 SNAT address is the same as the other VS (snat-pool-01).  The
 iRule selects the other snat address (snat-pool-02) if the
 particular host matches.
ltm virtual vs-http-01 {
    destination 0.0.0.0:http
    ip-protocol tcp
    mask any
    pool pool-gateway-01
    profiles {
        clientssl {
            context clientside
        }
        http { }
        mptcp-mobile-optimized { }
    }
    rules {
        rul-select-snat
    }
    source 10.100.8.0/22
    source-address-translation {
        pool snat-pool-01
        type snat
    }
    vlans {
        external
    }
    vlans-enabled
    vs-index 6
}

John_Chen_43562
Nimbostratus
Aug 14, 2015
All the https traffic is for outbound from all pool members. Therefore, there is no SSL offloading. With "Performance (L4)" VS, how can I filter specific URL to different snat?

Stanislas_Piro2
Cumulonimbus
Aug 14, 2015
Hi,

if you are not using SSL offloading, you can try to inspect client data and search SNI in SSL negotiation.

the following question / answer can help you.

https://devcentral.f5.com/questions/match-ssl-sni-and-redirect-ssl-traffic-without-ssl-termination
weblead_151334
Nimbostratus
Aug 15, 2015
Can anyone review the info https://devcentral.f5.com/questions/i-rule-help-route-incoming-traffic-based-on-source-subnet-amp-url-contains-string-admin-or-intra & help me fix the issue ...thanks!

Forum Discussion

outbound traffic for specific url by using specific IP

19 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

Related Content

APM-Specific Features for Securing Your Website

Disabling Specific Weak Cipher Suites

find specific SNMP OID

Installing and Locking a Specific Version of F5 NGINX Plus

Allow only specific IP Address to only specific URL/route in ASM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS