Forum Discussion
Shawn_Puckett_8
Nimbostratus
NimbostratusSNAT iRules for Multiple Gateways
Short description: I need to use different gateways out of the F5 for SNAT IPs.
Longer version: I need some of my systems that sit behind the Big-IP to NAT to different IPs so I can have our firewall NAT to public IPs then I can setup correct MX records. For example, server-192.168.72.57 needs to hit the firewall as 192.168.73.67 so the firewall knows to NAT to a set public IP. Well that is easy enough with SNAT but the issue is that I have two firewall gateways that only respond to their subnets but since the F5 only goes out one gateway and I can’t seem to get any of the pervious suggestions to work.
Here is my basic setup:
Internal Network: 192.168.72.0/24 (servers all site here)
External Network 1: 192.168.73.32/28 (these are Virtual Server IPs)
External Network 2: 192.168.73.64/28 (these are also Virtual Server IPs)
External Network 1 Gateway 192.168.73.33 (Firewall) <- default route
External Network 2 Gateway 192.168.73.65 (Firewall) <- unable to setup or use
I've seen some iRules similar to this:
when CLIENT_ACCEPTED {
if {[IP::addr [IP::local_addr] equals 192.168.73.65/28]} {
pool gateway-2
} else {
pool gateway -1
}
}
Even if that rule would work I can’t seem to create a working Pools for the gateways as neither gateway replies to pings (the firewall rejects pings on gateways) so the Big-IP considers it down and will not allow me to use it. So is there another approach I could use to with iRules.
Thanks,
Shawn
- Hi Shawn -
The gateway pool members can be monitored by multiple transparent monitors to external IP destinations via ICMP or other protocols, rather than using the default ICMP monitor. Doc on transparent monitors is here: Click here
For outbound traffic, create the pools and the SNATs to match the virtual servers as you mention above, and also a wildcard virtual server enabled on the internal VLAN (Click here, Click here). Then apply the rule to the wildcard virtual server. The basic idea behind the rule you show would work, with one modification:
CLIENT_ACCEPTED happens before the SNAT, and IP::local_addr in CLIENT_ACCEPTED is the address local to the BIG-IP (in this case the destination IP) so you'll want to look instead for the real IP.when CLIENT_ACCEPTED { if {[IP::addr [IP::remote_addr] equals 192.168.72.65/28]} { pool gateway-2 } else { pool gateway -1 } }
HTH
/deb 
Shawn_Puckett_8Thanks for the reply, but I'm stumped. The docs you linked to say: “To create a pool of transparent devices, display the Pools screen and click the Create button. For more information, see Chapter 4, Configuring Load Balancing Pools.” But I don’t see anything that tells me how to pick a monitor that is “transparent” all I see are a few monitors, I even create a custom one per first link you provided but that is not available to new Pools. I’m so sorry, but I’m not getting it. Can you point to another example of how someone has done this?
So in the end I should have: 1-SNAT (for each group or system I want to SNAT), 2-Virtual Servers, 2-Pools and 1-rule?
It would be great if I could just tell the Big-IP that if the IP is X then gateway X and Y goes to gateway Y, kind of like:
route add 192.168.73.32 mask 255.255.255.240 192.168.73.33
route add 192.168.73.64 mask 255.255.255.240 192.168.73.65
Thanks,
Shawn- Shawn_Puckett_8Does anyone know of an example in the manual or other location that would direct me on setting up two routes based on SNAT IP's? Please help, I've been reading the manual but can't get any clear picture on this, sorry.
Thanks for any help!
Shawn - JRahm
Admin
If you search the forum for "source route" you will find some help. Here is one such thread:
Click here - Shawn_Puckett_8I've run into two problems:
1) I can't figure out how to create a Firewall gateway pool for a device that doesn't respond to pings, I know it needs to to have transparent monitoring but I can't seem to track the docs on creating that, I see it say see the section on creating pools but in that section it doesn't tell me how to get a custom transparent monitoring rule to show up in the monitoring drop down for new pools, maybe I need to change the default gateway_ICMP monitor to be transparent?
2) I have around 70 pre-SNAT IP's that are not in ranges so for example 192.168.72.2 might need gateway 1 and .3 to gateway 2 and .4 to gateway 1, so was hoping to use post-SNAT, any thoughts on that? Maybe I could use pools?
Thanks,
Shawn - JRahmPool objects and associated monitors are off-topic for this forum. I would recommend not monitoring until you get the desired routing achieved, then worry about availability. You will need to contact support for this information.
On the snat topic, you might look into using a server-side event instead of a client-side event to utilize the correct IP. You could enable logging on client-side and server-side for the client-side IP address to find out which events have the desired IP address, then apply pool commands appropriately. Write back if you get stuck. - There's also a monitor called "gateway_icmp" that might work for you...
