Forum Discussion

Martin_58375's avatar
Martin_58375
Icon for Nimbostratus rankNimbostratus
Nov 20, 2012

iRule : snatpool first or pool member selection first

i have a iRule like below

 

 

iRule_mail_snat

 

when CLIENT_ACCEPTED {

 

 

if {[IP::remote_addr] equals "202.1.1.1"} {

 

 

snatpool snatpool_A

 

 

pool Pool_A

 

} elseif { [IP::remote_addr] equals "202.1.1.2"} {

 

snatpool snatpool_B

 

 

pool Pool_B

 

} else {

 

snatpool snatpool_normal }

 

}

 

------------------------------------

 

Snatpool_normal

 

snatpool_normal {

 

member 1.1.1.1 2.2.2.2

 

}

 

-----------------------------------

 

if there is a virtual attach the above iRule and then the pool assigned called "pool_normal".

 

 

pool_normal {

 

member 1.1.1.254:0

 

memeber 2.2.2.254:0

 

memeber 3.3.3.254:0

 

}

 

 

what is the decision for F5 when the traffic going through this iRule ? ( for snatpool_normal , pool_normal )

 

1) F5 will select the snatpool according to the iRule , then select the corresponding pool member in pool.

 

2) F5 will select the pool member and select the correspond snatpool_normal.

 

 

if case 2 , that will be an issue, the situtaion like F5 select 3.3.3.254. however, the snatpool_normal do not have the corresponding Ip address subnet.

 

what can F5 do ? drop the packet ? just choose one of them from the snatpool ?

 

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2012
    Basically, if the client source IP address isn't 202.1.1.1 or 202.1.1.2 then snatpool snatpool_normal will be used and the Default Pool assigned to the Virtual Server will be used.

     

     

    Because you are doing this in the CLIENT_ACCEPTED event, I don't think the order matters at all.

     

     

    To be blunt, don't use member 3.3.3.254 if it's an issue. However, keep in mind the SNAT IP doesn't need to be in the same subnet/network; you just need to ensure the server has a route back to the SNAT address via the F5. You could use 192.168.1.1 if you wanted, as long as the servers and hops inbetween route that IP back to the F5.
  • Martin_58375's avatar
    Martin_58375
    Icon for Nimbostratus rankNimbostratus
    Nov 22, 2012
    Thanks !!!

     

     

    If the packet go out to 1.1.1.254:0 and use 1.1.1.1 for snat ,

     

    the traffic works properly.

     

     

    if the packet go out to 3.3.3.254:0 and use 1.1.1.1 for snat,

     

    F5 will reset the packet.

     

     

    That means the snatpool is not set properly.

     

    For snat , F5 will choose the most specific one.

     

    Am i right ?

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 22, 2012
    You could specify any SNAT address you liked, the F5 wouldn't reset anything unless the traffic behavior/routing back to it was wrong.

     

     

    What IPs are in the SNAT Pool? Does server 3.3.3.254 have a route back to 1.1.1.1 via the F5, on the same VLAN?
  • Martin_58375's avatar
    Martin_58375
    Icon for Nimbostratus rankNimbostratus
    Nov 26, 2012

    3.3.3.254 and 1.1.1.1 is different VLAN.

     

     

    that meant the packet go out from interface 1.1

     

    and then the reply packet will go to interface 1.2 .

     

    then the packet is reset.

     

    this is what you say in the first sentence.

     

    Thanks !!!

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 26, 2012
    OK, understood. Yes I did, the point I'm trying to make is, if you use an SNAT IP address that is routed back to the correct F5 interface it doesn't really matter what it is. So, you can either change the routing as necessary to ensure traffic returns to the correct interface, modify your iRule and use an SNAT pool that will be routed back correctly or not use 3.3.3.254.

     

     

    The behavior you are seeing is correct and expected. You need to decide on and implement a configuration that will work. I'm happy to help here.