Forum Discussion
samir_110997
Nimbostratus
NimbostratusPLEASE HELP SNAT conditionnel and traffic redirection
hi everybody,
as i'm not familiar with i-rules, i really need you help to correcte my i'rule cause the site is at risk.
I have created a strandard virtual serveur for the http traffic (80) and an i'rule so as to redirect all the traffic http to the second Internet provider ISP2, but there is only one exeption for three servers where the trafic http for theses servers should be directed to the first Internet Provider ISP1 and must be natted differently.
thes is my irule:
when LB_SELECTED {
if { [IP::addr [IP::client_addr] equals 172.24.95.139 ] } {
snat 196.29.40.139
pool Pool_Routeur_ISP1
} elseif { [IP::addr [IP::client_addr] equals 172.24.95.133 ] } {
snat 196.29.40.133
pool Pool_Routeur_ISP1
} elseif { [IP::addr [IP::client_addr] equals 172.24.95.135 ] } {
snat 196.29.40.135
pool Pool_Routeur_ISP1
} elseif { [TCP::local_port] == 80 } {
pool Pool_Routeur_ISP2
} elseif { [TCP::local_port] == 443 } {
pool Pool_Routeur_ISP2
} else {
snat automap
}
}
thanks for all in advance
- Sounds like you're LB'ing outbound links?
And the flow I think you are describing is:* All HTTP/S traffic for 3 clients will be sent out ISP1 with unique SNATs
* All other HTTP/S traffic will be sent out ISP2 with auto SNAT
* All non-HTTP/S traffic will be load balanced to the default pool (not managed by the rule).
I'd recommend creating a class list (data group list) of type string containing the list of servers you want to send through ISP1 and their SNAT addresses. It's easier to maintain the class than to modify the rule if things change.class ISP1_server_SNATs { 172.24.95.139 196.29.40.139 172.24.95.135 196.29.40.135 172.24.95.133 196.29.40.133 }
Then this rule would be applied to a forwarding virtual server enabled on the server vlan to direct traffic as you describe (comment out log lines after verifying):when CLIENT_ACCEPTED { if { ([TCP::local_port] == 80) || ([TCP::local_port] == 443) } { set mySNAT [findclass [IP::client_addr] $::ISP1_server_SNATs " "] if { $mySNAT != "" } { log local0. "SNATing [IP::client_addr] to $mySNAT over ISP1" snat $mySNAT pool Pool_Routeur_ISP1 } else { log local0. "SNATing [IP::client_addr] to auto SNAT over ISP2" snat automap pool Pool_Routeur_ISP2 } }
HTH
/deb 
samir_110997I get an error when applying the i-rule please can anyone have an idea about this:
01070151:3: Rule [F5_Traffic] error:
line 1: [undefined procedure: class] [class ISP1_server_SNATs {
172.24.95.139 196.29.40.139
172.24.95.135 196.29.40.135
172.24.95.133 196.29.40.133
}]
line 7: [parse error: missing close-brace] [{
if { ([TCP::local_port] == 80) || ([TCP::local_port] == 443) } {
set mySNAT [findclass [IP::client_addr] $::ISP1_server_SNATs " "]
if { $mySNAT != "" } {
snat $mySNAT
pool Pool_Routeur_ISP1
} else {
snat automap
pool Pool_Routeur_ISP2
}
}]
line 8: [command is not valid in the current scope] [if { ([TCP::local_port] == 80) || ([TCP::local_port] == 443) } {
set mySNAT [findclass [IP::client_addr] $::ISP1_server_SNATs " "]
if { $mySNAT != "" } {
snat $mySNAT
pool Pool_Routeur_ISP1
} else {
snat automap
pool Pool_Routeur_ISP2
}
}]
hoolioCirrostratus
The datagroup (called a class in the bigip.conf) definition should be separate from the iRule. You can create a datagroup in the GUI under Local Traffic >> iRules >> Datagroup List.
Aaron
