BIG-IP in DMZ - Reverse traffic to public subnets clarification
Hi guys, Please help with understanding routing on BIG-IP LTM device. We are using quite old version on the box - 10.2.4. The problem we are having is related to traffic flows from border firewall which is connected to public subnet and F5 load balancer. We are experiencing connectivity problems from outside to server pool behind the load balancer after we perform switch over operation on firewall cluster from primary to secondary node. Both firewall devices are in sync so they are using the same configuration and during switchover the secondary device just taking VIPs from primary. I suspect that the issue lies on the LTM side. What I can't understand right now is how BIG-IP is returning traffic back from the pool to the clients in the Internet if the load-balancer is in the DMZ already (it doesn't have public IPs assigned). Border firewall perform NAT translation for destination IP address leaving the clients public IPs unchanged. This changed packet is reaching LTM vServer in the VLAN20 (please take a look on the attached diagram) and based on the vServer settings traffic is directed to POOL of Web servers with source changed to self-IP of LTM (because of SNAT automap config). But the reverse path is not clear. Traffic is forwarder to LTM which in its turn will substitute original public IP address of the Internet's client. What then? Traffic will be directed based on routing table? But in that case asymmetric routing will happen because in our case default route is pointing to different VLAN. Here is our vserver config ltm virtual VS_VSERVER { destination 10.0.20.150:https ip-protocol tcp mask 255.255.255.255 partition APP20 persist { TST_cookiePersistence { default yes } } pool POOL_WEB1 profiles { TST_http_headerSource { } example.com { context clientside } tcp { } } rules { TST_redir } snat automap } Thank you very much!
Please validate iRule to Load balance the traffic based on SNAT.
Hello Folks, I need your help by verifying my iRule, responsible to SNAT the traffic generated from one Site (B) and going to another site (A), and should select specif pool to communicate further. when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 1.1.1.0 mask 255.255.255.0] } { snat 1.1.1.1 pool Test_Pool } else {pool Normal} } Brief information about customer setup. Client has 2 sites located on different geographic area. We are managing their network setup. Being an ISP, we are responsible to load balance all the traffic flowing between two sites. Now, they have configured their network in such a way, where SiteA should see only one specific IP address when SiteB tries to communicate with SiteA. At the same time, load balance should work for both the sites. Please feel free to reply if you need any further informaiton to verify the iRule or share a better one.
SNAT based on XFF to internet
Hi All, my company is trying to get LTM to work with ironport proxy. The proxy gateway is pointed to F5 and we have configured a performance L4 virtual server to allow the traffic to passthrough. so far what we observed from our irules, the XFF header is not match properly and it is intermittently having issue. when HTTP_REQUEST { set XFF [HTTP::header X-Forwarded-For] log local0. $XFF if { [catch {class match [HTTP::header "X-Forwarded-For"] equals abc-address}] } { log local0. "$XFF hit ABC" snatpool SNAT_POOL_1.1.1.1 } elseif { [catch {class match [HTTP::header "X-Forwarded-For"] equals def-address}] } { log local0. "$XFF hit DEF" snatpool SNAT_POOL_2.2.2.2 } elseif {[class match [IP::client_addr] equals proxy-address]} { log local0. "not nat. proxy going to internet" } else { log local0. "Not matching any ip. traffic dropped" drop } } would anyone be able to help advise if it is the rule having issue?iRules for SNAT translations with ISP load balancing
I'm looking for a way to create iRules that would have SNAT translations for specific hosts that needed to be sourced with a specific IP address and autosnat all others. For example, Node A must be sourced from public IP 100.1.1.2 using ISP A, node B would be sourced from public IP 200.1.1.3 using ISP B, while all others that did not need to be sourced from a specific IP would use autosnat to load balancing using both ISPs and setting the source IP to the appropriate self-IP based on the ISP connection used. Is this possible and if so what would the iRule look like?
