Forum Discussion
Oleg_68900
Nimbostratus
NimbostratusTwo ISP – how to configure outbound traffic.
Setup
Two ISP (external subnets A & B respectively)
VLANS
internal (subnet X)
external (subnets A)
external2 (subnets B)
LTM default gateway (DGW) points to ISP A
All inbound virtual servers configures in pairs:
Two virtual servers: a1 & b1 (on subnets A & B respectively)
One pool serving requests for both a1 & b1
It works just fine.
For outbound traffic I want to be able to create deferent SNATs (with IP a2 & b2) for different internal IPs
For example:
x1 (internal server) uses a2 and
x2 (another internal server) uses b2.
snat a2 {
translation a1
vlans internal enable
origins
x1
}
snat b2 {
translation b2
vlans internal enable
origins
x2
}
snat a2 works fine
snat b2 doesn’t work
*LTM default gateway points to ISP A
What do I need to do make snat b2 work?
I guess, I can change LTM DGW to point to B, but snat a2 will stop working than…
I do need “more than one” SNATs on both A & B…
5 Replies
- dennypayne
Employee
You need to create a pool with both gateways and use that pool as the LTM default gateway. That way it will use the correct gateway for whichever SNAT is used.
Denny 
Oleg_68900Danny,
I tried that before.
I was thought, I need gateway pool to auto last hop work properly.
Turned out – auto last hop works fine with default gateway set to IP on A subnet.
But having gateway pool instead of IP result in much longer outbound access for A subnet, and didn’t resolve B outbound issues.
I’m I missing something?
Do I need any forwarding servers at all?- Oleg_68900I made few more tests:
1. Create & assing gateway pool with one member only – DGW for subnet A
Hosts SNATed to subnet A work
Hosts SNATed to subnet B doesn’t work
I.e. works, as expected, exactly the same way as DGW set to IP in subnet A
2. Did same for B – again, as expected, works for B but not for A.
Now,
3. LTM DGW is set to gateway pool with two members – DGWs for subnet A & B
It works for both subnets, A & B, but the browsing is extremely slow.
Ping always times out, and that why I thought it won’t work at all.
I was just not patient enough. :-)
Overall result – yes it works, but it’s unacceptable.
I assume something is wrong with my configuration.
Gateway pool load balancing method is Round Robin – does it matter at all?
Both SNAT & NAT translation are disabled.
I tried changing SNAT & NAT in cases 1 & 2 – they make no difference.
Browsing is very fast in both 1 & 2.
Still wondering what I might be missing? - Oleg_68900A little more info:
In case 3 (LTM DGW is set to gateway pool with two members – DGWs for subnet A & B)
Firewall between A and “outside world” shows packets with Source Addresses from both
A & B subnets. Obviously, only ones from A get their responses.
I don’t have access to firewall B, but I guess it should be very similar picture – hence very slow browsing – it keeps retrying until hit “right gateway”. - Oleg_68900v9 has nice debugging mechanism called iRules. :-)
I wrote simple rule to log packet IPs, ports and next/last hops
Log shows, in case 3 LTM choose gateway absolutely randomly (or should I say “round robin”?)
The only way to make it work is to use very same iRules to assign appropriate gateway.
With iRules everything works just fine, but it’s somewhat impractical as there is no way to script them - at least I don’t know how.
Back to original problem:
Default gateway pool with 2 gateways doesn’t work at all.
I guess, it should – there is no big deal to compare SNATed IP with available gateways and choose the right one.
The one difference between my config and average Joe – subnet B is /26 and A is /24
Anyway, SNATed IP and gateway both belong to the same subnet – even iRules won’t help otherwise…
The good thing about it – it made me learn a little bit of iRules ;-)
