I hope the intellects here may be able to help me with a confusing setup. I worked for 3 days with F5 tech support on this and they finally sent me here. I have about a dozen T1 lines that come into a switch and the switch connects to my "external" VLAN port. On the "internal" side my systems use SNAT to start an outbound connection. The problem is that the outbound connections always use the default route. But I need them to route through the T1 that matches their SNAT address. As an example. I have a system with an address of 10.10.10.10. It starts an outbound connection and gets a SNAT address of 62.2.2.10. I need to create an iRule that will look at this the SNAT address and route the traffic down the 62.x.x.x T1 and not through the default address. Again, I am not trying to route based upon the destination address. Rather, I need to choose the correct router based upon the source address. Otherwise, if the wrong router is chosen, the packets get dropped. If any of you F5 guru's know how to create an iRule to do this, I would greatly appreciate the help. Thanks. -Roark Fisher

I am doing this in the lab currently: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 192.168.1.100/255.255.255.255] } { node 10.10.1.5 Firewall 1 } elseif { [IP::addr [IP::client_addr] equals 192.168.2.100/255.255.255.255] } { node 10.10.2.5 Firewall 2 } } The virtual server should be network, address and mask 0.0.0.0. Service port should be all ports. Make sure you disable port and address translation, and associate the above rule.

With a dozen T1's, I'd recommend using a class instead of 12 if statements: class snat_gw { "snat_IP1 gw_IP1" "snat_IP2 gw_IP2" "snat_IP3 gw_IP3" "........ ......" "snat_IP12 gw_IP12" } when CLIENT_ACCEPTED { set my_gw [findclass [IP::client_addr] $::snat_gw " "] if { $my_gw ne "" } { node $my_gw } else { discard } }

Wow! I appreciate your testing this as this is very big to a very big project. And I was amazed to get such a good response so quickly. Sadly, I have to claim being dumb with iRules. I tried to setup the second example you gave as it was (to me) the clearest and easiest to understand. I created a new iRule and went for a basic test of one translation (if the SNAT address is 62.2.2.10, then use 62.2.2.1 as the gateway): class snat_gw { "62.2.2.10 62.2.2.1" } when CLIENT_ACCEPTED { set my_gw [findclass [IP::client_addr] $::snat_gw " "] if { $my_gw ne "" } { node $my_gw } else { discard } } When I clicked on "Finished", it gave me the error: 01070151:3: Rule [Test_SMTP_SNAT] error: line 1: [undefined procedure: class] [class snat_gw { "62.2.2.0 62.2.2.1" } Sorry for not understanding the basics of iRules yet. This is my first experience with F5s and this issue came up quickly. Do I need to add something else to get it to understand the reference to the "class" procedure? Can I add a subnet to my entry (i.e. "62.2.2.0/255.255.255.0 62.2.2.1) so that the entire network will use this default gateway. Again, thank you for your help. This is huge for us if we can get it working. -Roark Fisher

The class isn't part of the iRule, it needs to be added either to the bigip.conf file (don't forget to do a bigpipe load after editing the file)at the CLI or under the datagroups tab on the irules tab. Also, I'd edit your post and pull out your real IP addresses if they are in fact real. This site is freely available to anyone, so you never know who's watching...

Thank you. I think this is close to working. I added the following to the /config/bigip.conf file (fake IPs given): class snat_gw { "62.2.2.10 62.2.2.1" } I did a "bigpipe load" and then verified that the new class showed up in the datagroups portion of the iRules. I then created the following iRule (Test_SNAT): when CLIENT_ACCEPTED { set my_gw [findclass [IP::client_addr] $::snat_gw " "] if { $my_gw ne "" } { node $my_gw } else { discard } } and it created successfully. So far so good. Things broke as I tried to associate the iRule. Here is some further clarification of what I have. I have a Host Virtual Server that redirects traffic on port 80 to 62.2.2.10 to the internal system (10.10.10.10). I have a SNAT rule that converts 10.10.10.10 to 62.2.2.10. Now the Host Virtual Server on port 80 works great and the web pages serve up properly. The problem is if I want to send email out from 10.10.10.10. Since the email originates from 10.10.10.10, I need it to SNAT to a real address and then route through the correct gateway. Right now it is using the default gateway and the packets get dropped. I did not find a place where I could associate the iRule with the SNAT. I tried to associate the iRule to the Host Virtual Server but then it stopped serving web pages so I had to take it out. Can you tell me how to associate the iRule with the SNAT? Or do I have to create a different type of virtual server? Thanks again for your help.

Outbound routing based upon source IP

15 Replies

grei_zhang_3397
Nimbostratus
Jan 31, 2007
Thanks for this post, I got trick from your thoughts.

Just clarified, to implement my situation:

1. most internal host(client) should routed to external network, where external network protected by a firewall.

2. some specific internal host should snated based on it's source ip and destination ip and tcp dest port.

3. since other service should not do snat for this specific internal host, so global snat should not applied on this internal host.

could I realize such snat irule on 0.0.0.0/0 forwarding pool?

BTW,

my bigip version is 9.1.2 40.2, but i cannot find the address translation and port translation checkbox on wildcard ip forwarding pool, and i found version is very sensitive for bigip device.

-Grei
Liu_Li_18953
Nimbostratus
May 07, 2008
Posted By rodrigo.ev on 10/19/2006 2:17 PM

I'd like to propose another scenario we got in a customer:

Suppose we have the Wildcard Virtual Server (0.0.0.0:0) pointed to a Default Gateway Pool with my two ISP routers (200.1.0.1 and 200.2.0.1).

I want the outbound connection for specific internal servers to use another IP other than SelfIP/SNAT Automap (let's say Static SNAT Addresses 200.1.0.10 and 200.2.0.10).

With the iRule described above I can get this result, but the destination router will be selected by the SNAT, not leveraging the router/link status in a Link Controller Box.

The best would be to let the pool select the better router based on its metrics and then execute the iRule to SNAT to the proper static address.
class class_static_snat_servers { host 10.0.0.10 host 10.0.0.11 } class class_static_snat_gateways { "200.1.0.1 200.1.0.10" "200.2.0.1 200.2.0.10" } when CLIENT_ACCEPTED { set static_snat_server [IP::client_addr] } when LB_SELECTED { if {$::static_snat_server eq $::class_static_snat_servers]} { set selected_gateway [findclass [LB::server addr] $::class_static_snat_gateways " "] if { $selected_gateway ne "" } { snat $selected_gateway } } }

Or, in a short way:
when LB_SELECTED { if {[matchclass [IP::client_addr] eq $::class_static_snat_servers]} { set my_gw [findclass [LB::server addr] $::class_static_snat_gateways " "] if { $my_gw ne "" } { snat $my_gw } } }

if i have many internal servers , i want use the networks instead of host IPs, every networks use a different snat ip ,can i build the class like this???

class class_static_snat_servers {

network 10.0.0.0 mask 255.255.255.0

network 10.0.1.0 mask 255.255.255.0

or

class class_static_snat_servers {

"10.0.0.0/24 200.1.0.10"

"10.0.1.0/24 200.1.0.11"

}
Manuel_Gabaldon
Nimbostratus
May 07, 2008
Hi,

If you define an SNAT pool an associate it with a wildcard routing VS, the BIG-IP will automatically use the SNAT pool member which belongs to the same IP subnet that the selected outgoing router. We've already tried it and it works properly.

However, if you already have an SNAT Automap attached to the wildcard VS, you'll have to define an iRule based on client IP addresses to assign the correct SNAT pool, but this is an upgrade over previous implementations since the BIG-IP selects the outgoing router and then applies SNAT, not the other way around.

BR
Liu_Li_18953
Nimbostratus
May 08, 2008
Thank you for your help，I don't wanna use too many "if" or "elesif" in ruels , can i use the "classe".

rule outbound-snat {

when CLIENT_ACCEPTED {

if { [ matchclass [IP::local_addr] equals $::ISP1_ip ] } {

pool ISP1_GW_pool

}

elseif { [ matchclass [IP::local_addr] equals $::ISP2_IP ] } {

pool ISP2_GW_pool

}

else {

pool default_gateway_pool

}

}

when LB_SELECTED {

if { [[LB::server addr] equals ISP1_GW] } {

if { [[IP::client_addr] equals 172.16.1.0/24] } {

snat 200.1.0.10

}

elseif { [[IP::client_addr] equals 172.16.2.0/24] } {

snat 200.1.0.11

}

elseif { [[IP::client_addr] equals 172.16.3.0/16] } {

snat 200.1.0.12

}

.........

........

}

else {

snat automap

}

}

but i have so many networks need to snat and for some reason i can't change it . (ie : 172.16.1.0/24 must ues 200.1.0.11 ; 172.16.2.0/24 must 200.1.0.12),if I use following rules, does it work?

class snat {

"172.16.1.0/24 200.1.0.10"

"172.16.2.0/24 200.1.0.11"

"172.16.3.0/24 200.1.0.12"

.....

.....

}

rule outbound-snat {

when CLIENT_ACCEPTED {

if { [ matchclass [IP::local_addr] equals $::ISP1_ip ] } {

pool ISP1_GW_pool

}

elseif { [ matchclass [IP::local_addr] equals $::ISP2_IP ] } {

pool ISP2_GW_pool

}

else {

pool default_gateway_pool

}

}

when LB_SELECTED {

if { [[LB::server addr] equals ISP1_GW] } {

set my_snat [ findclass [IP::client_addr] $::snat " " ]}

if { $my_snat ne "" } {

snat $my_snat

}

else { snat automap}

}

}
oninicus_162976
Nimbostratus
Jun 30, 2015
Hi Guys,

I am also new on F5. I would to get some advice from the F5 Gurus. Below is the situation I am in.

I have an LTM which is connected to a Switch (TRUNK), I have allowed already the 2 VLANs for my 2 VIPs (VLAN A - VIP1 and VLAN B - VIP2). the GWs for the respective VLANs are also configured on the switch. I have created the self-IPs for each VLANs as well.

When a user access 1 VIP (VIP1) traffic will SNATed to VIP1.9 and should forward to VIP1.1(GW) and same goes for VIP2 (will be SNATed to VIP2.9 and should forward traffic to VIP2.1(GW).

Please help me on this as I can't any solution on the internet for this. many thanks in advance!

Forum Discussion

Outbound routing based upon source IP

15 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

BIG-IP BGP Routing Protocol Configuration And Use Cases

SNI Routing with BIG-IP

Layer 7 Content Routing in F5 XC

Source IP Based Pool Routing