Forum Discussion
player_72606
Nimbostratus
Nimbostratusrandomize snat
Hi all,
i need to create nat and randomize using multiple /28 subnets, i have created data group to contain the subnets , how can i randomize the nat selection - i saw that we can use the "rand" function but its not working..
can anyone assist with that?
thanks
9 Replies
nitass_89166Noctilucent
isn't least connection algorithm good enough?
Note: The BIG-IP system load balances SNAT pool connections between members using the least connections algorithm.sol7820: Overview of SNAT features
http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html- player_72606i know this article but i'm looking for a solution to randomize across multiple subnets and not several IP addresses..
- nitass
Employee
isn't least connection algorithm good enough?
Note: The BIG-IP system load balances SNAT pool connections between members using the least connections algorithm.sol7820: Overview of SNAT features
http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html- player_72606i know this article but i'm looking for a solution to randomize across multiple subnets and not several IP addresses..
- nitass
i saw that we can use the "rand" function but its not working.
can you post the configuration/irule that is not working?
- player_72606
i dont have access to it right noe but it's a very simple one that calls the datagroup that holds the subnets and tries to use the rand function to "generate" a randomimed IP address and then the "snat" function with that integer
- nitass
not sure if i understand correctly. anyway, this is my testing.
snat_list is string data group containing snat ip subnet. please be noted that server has to route return traffic back to bigip.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { qux } source 0.0.0.0/0 vs-index 41 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal snat_class ltm data-group internal snat_class { records { 192.168.1.16/255.255.255.240 { } 192.168.2.32/255.255.255.248 { } } type string } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { proc ip2int { ip } { set octets [split $ip .] set ipint [expr {(256 * 256 * 256 * [lindex $octets 0]) + (256 * 256 * [lindex $octets 1]) + (256 * [lindex $octets 2]) + [lindex $octets 3]}] return $ipint } proc random { max } { return [expr {int(rand()*($max+1))}] } when RULE_INIT { set static::snat_list {} foreach elm [class get snat_class] { scan [lindex $elm 0] {%[^/]/%s} ip mask set st [IP::addr $ip mask $mask] set num [expr {[call ip2int 255.255.255.255] - [call ip2int $mask] + 1}] for {set i 0} {$i < $num} {incr i} { set t [expr {[call ip2int $ip] + $i}] lappend static::snat_list [IP::addr parse -ipv4 [binary format I $t]] } } set static::snat_len [llength $static::snat_list] unset elm ip mask st num i t } when CLIENT_ACCEPTED { snat [lindex $static::snat_list [call random $static::snat_len]] } } trace [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 'tcp[13] = 2' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:47:31.432326 IP 172.28.24.1.48161 > 172.28.24.10.80: S 298963641:298963641(0) win 5840 in slot1/tmm1 lis= 06:47:31.434456 IP 192.168.1.22.48161 > 200.200.200.101.80: S 276765464:276765464(0) win 4380 out slot1/tmm1 lis=/Common/bar 06:47:31.513825 IP 172.28.24.1.48162 > 172.28.24.10.80: S 3119548056:3119548056(0) win 5840 in slot1/tmm0 lis= 06:47:31.515734 IP 192.168.2.33.48162 > 200.200.200.101.80: S 1647113171:1647113171(0) win 4380 out slot1/tmm0 lis=/Common/bar 06:47:31.567365 IP 172.28.24.1.48163 > 172.28.24.10.80: S 2523860699:2523860699(0) win 5840 in slot1/tmm1 lis= 06:47:31.568874 IP 192.168.1.26.48163 > 200.200.200.101.80: S 2322897545:2322897545(0) win 4380 out slot1/tmm1 lis=/Common/bar 06:47:31.596345 IP 172.28.24.1.48164 > 172.28.24.10.80: S 1548997994:1548997994(0) win 5840 in slot1/tmm0 lis= 06:47:31.602295 IP 192.168.2.36.48164 > 200.200.200.101.80: S 4150002812:4150002812(0) win 4380 out slot1/tmm0 lis=/Common/bar 06:47:31.619097 IP 172.28.24.1.48165 > 172.28.24.10.80: S 3701869019:3701869019(0) win 5840 in slot1/tmm1 lis= 06:47:31.620489 IP 192.168.1.28.48165 > 200.200.200.101.80: S 733377398:733377398(0) win 4380 out slot1/tmm1 lis=/Common/bar 06:47:31.677394 IP 172.28.24.1.48166 > 172.28.24.10.80: S 253426786:253426786(0) win 5840 in slot1/tmm0 lis= 06:47:31.678775 IP 192.168.1.26.48166 > 200.200.200.101.80: S 3356910604:3356910604(0) win 4380 out slot1/tmm0 lis=/Common/bar 06:47:31.702024 IP 172.28.24.1.48167 > 172.28.24.10.80: S 1614702065:1614702065(0) win 5840 in slot1/tmm1 lis= 06:47:31.703896 IP 192.168.1.29.48167 > 200.200.200.101.80: S 911342013:911342013(0) win 4380 out slot1/tmm1 lis=/Common/bar 06:47:31.709245 IP 172.28.24.1.48168 > 172.28.24.10.80: S 147699432:147699432(0) win 5840 in slot1/tmm0 lis= 06:47:31.710322 IP 192.168.1.16.48168 > 200.200.200.101.80: S 1159993457:1159993457(0) win 4380 out slot1/tmm0 lis=/Common/bar 06:47:31.748100 IP 172.28.24.1.48169 > 172.28.24.10.80: S 1848051608:1848051608(0) win 5840 in slot1/tmm1 lis= 06:47:31.749172 IP 192.168.1.29.48169 > 200.200.200.101.80: S 3736572387:3736572387(0) win 4380 out slot1/tmm1 lis=/Common/bar 06:47:31.780676 IP 172.28.24.1.48170 > 172.28.24.10.80: S 3760627980:3760627980(0) win 5840 in slot1/tmm0 lis= 06:47:31.781664 IP 192.168.2.33.48170 > 200.200.200.101.80: S 3107354337:3107354337(0) win 4380 out slot1/tmm0 lis=/Common/bar - The_Bhattman
Excellent irule
-=Bhattman=-
- player_72606
well done!
