Forum Discussion

Scott_Hopkins's avatar
Scott_Hopkins
Icon for Nimbostratus rankNimbostratus
Jul 06, 2008

Question on LTM Wild Card Virtual Servers

If a host (with a BigIP as its default gateway) establishes a new connection to the BigIP, in what order will it apply Virtual Server, SNAT, Wild-Card Virtual Server configurations?

Our situation:

We currently have multiple hosts behind our LTM devices that not only serve requests via Virtual Servers, but also communicate directly to some of the client hosts. Due to infrastructure requirements, (an effort to keep the number of participants in our routing infrastructure low), the LTM does not have an active part in routing, and currently drops all traffic on the floor that is not either a response, or covered by a SNAT.

This means that any clients communicating through the VIP (which get routed back to the LTM via static routes), can only communication via the BigIP (and therefore losing direct communication with the application servers), unless we add a SNAT for the client host (which requires additional static routes on the client machines).

We're looking to change this by using a wild-card virtual server for each VLAN, with an iRule that would either SNAT the traffic outbound, or force the traffic to the router for that VLAN. This would coincide with making the LTM the default gateway for all of these machines. I've seen some of the other multi-gateway routing threads, and wondered if the LTM would work like this:

VIRTUAL SERVER :

Is the destination IP a virtual server I host?

Yes, send traffic to the virtual server.

No, fall to SNAT.

SNAT:

Do I have a SNAT rule for this source IP?

Yes, use the SNAT.

No, fall to Wild Card Virtual Server (WC-VS).

WC-VS:

Use an iRule to determine how to process the traffic (iRule below).

iRule

Pre-defined Classes / Data Groups: 

 
       routed_network_list 
            = List of ip/subnets that require a routable address 
       local_srvr_list                         
            = List of Servers that need to be SNAT’ed to allow direct machine to machine communication. 
 

 
 when CLIENT_ACCEPTED { 
     if { [matchclass  [ip::remote_addr] equals $::routed_network_list ] } { 
         // SNAT traffic to the routable networks 
         snat 64.x.x.52 
     } elseif { [matchclass  [ip::remote_addr] equals $::local_srvr_list ] }{ 
         // SNAT traffic to the other internal machines 
         snat 10.10.8.3 
     } else { 
         // drop to the default router for this VLAN. 
         node 10.10.8.1 
     } 
 }

If not, how does it decide what to apply first? Does this seem like a reasonable approach, or is there a better way to achieve what we are looking for?

config
design
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 07, 2008
    The precedence (Click here) for matching would be the most specific VIP, then the wildcard VIP, then the SNAT. The SNAT will take effect if there isn't a SNAT setting enabled on the VIP and/or pool. If you use a rule to specify a SNAT it will override both the SNAT options on the VIP and/or pool as well as a default SNAT.

    To simplify the troubleshooting process if the above rule and classes don't work, you could add logging: 

     
 when CLIENT_ACCEPTED {  
    log local0. "[IP::client_addr]:[TCP::client_port]: new connection to [IP::local_addr]:[TCP::local_port]" 
    if { [matchclass  [ip::remote_addr] equals $::routed_network_list ] } {  
        SNAT traffic to the routable networks 
       log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::routed_network_list" 
       snat 64.x.x.52 
    } elseif { [matchclass  [ip::remote_addr] equals $::local_srvr_list ] }{  
        SNAT traffic to the other internal machines  
       log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::local_srvr_list" 
       snat 10.10.8.3  
    } else {  
        drop to the default router for this VLAN.  
       log local0. "[IP::client_addr]:[TCP::client_port]: default" 
       node 10.10.8.1  
    } 
 } 
 when SERVER_CONNECTED { 
    log local0. "[IP::client_addr]:[TCP::client_port]: connected to [IP::remote_addr]:[TCP::remote_port]" 
 }

    Aaron
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jul 22, 2008

     

    Great explanation, hoolio, thanks. Can you clarify this comment, though?The SNAT will take effect if there isn't a SNAT setting enabled on the VIP and/or pool.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 22, 2008
    Hey Deb,

     

     

    I was mashing up two separate thoughts. I believe a SNAT enabled on a VIP will take precedence over a default SNAT. And if SNAT is enabled globally or on the VIP, I think it will be disabled if SNAT is disabled on the pool that is used. Does that sound about right?

     

     

    Aaron