Forum Discussion

Zoltan_101477's avatar
Zoltan_101477
Icon for Nimbostratus rankNimbostratus
Dec 07, 2007

Health monitor SNAT

Hi,

 

I'd like to know if anyone has ever created a custom health check application or script that would be able to test an external system sourcing from a SNAT instead of the self IP of the F5.

 

The NAT on the Firewall solution would not work, as other cases must not have NAT-ed there, just some specific health checks.

 

 

The F5 has private IP addresses on the external vlan.

 

The router also has a public subnet routed to the F5 external floating address.

 

 

So by picking one from that public subnet should be possible theoratically.

 

 

I'd need this to be icmp and tcp_half_open based if possible.

 

 

I think this could be a standard feature of the F5 to specify custom sourcing.

 

 

If anyone has done such thing before, please inform me.

 

 

Regards,

 

Zoltan
management
monitoring

8 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 02, 2008
    I don't think there is a way to specify a source IP address in a default monitor. You might be able to use an external monitor which references a custom script. Using netcat, you could specify a source IP/port. For your specific scenario, I'm not sure how this would work though. The IP you select for the source of the monitor traffic must be an IP that the BIG-IP will ARP for. It will only answer ARPs for IP's it's configured for. So I think you'd need to configure the source IP as a self IP address.

     

     

    Aaron
  • Zoltan_101477's avatar
    Zoltan_101477
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2008
    Hi,

     

     

    It's facing towards the external subnets, but not part of it.

     

    It is part of a private subnet, and another public subnet is routed to the floating private IP, so the F5 can have public IP virtual servers, SNATs from the public range.

     

     

    Regards,

     

    Zoltan
  • Zoltan_101477's avatar
    Zoltan_101477
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2008
    Hi,

     

     

    Even though the LTM doesn't have the subnet specified as a self IP and VLAN, it has the public subnet routed to it.

     

    I have virtual servers and NAT/SNAT for those IP addresses, and I see the F5 responds to the ARP requests for those addresses.

     

    I just think it would be a good feature to extend the transparent health check type to make it possible to originate from specific IP address other than the self IP.

     

    I tried to use ping, tracepath, traceroute to use a different originating IP address, but it was not possible. I will look into the netcat that you proposed.

     

     

    Regards,

     

    Zoltan
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Apr 03, 2008
    I concur with Aaron. I cannot get the BIGIP to use a snat for the monitors. The only thing I can think of is snating on a router or firewall before it hits the external system.

     

     

    /cb
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Apr 10, 2008
    As you have discovered, SNATs & NATs apply only to load balanced traffic.

     

     

    hoolio is, as usual, right on all counts.

     

     

    I am wondering though why you can't use the external address and source NAT at the firewall, allowing only internally initiated requests for the external service ports in question? There should be no load balanced traffic sourced from the LTM selfIPs, just system requests like DNS, ssh/ftp outbound by an admin, that kind of stuff.

     

     

    If you do want to go the external monitor route, this doc will be most helpful:

     

    Click here

     

     

    If you'd like to pursue this request: I just think it would be a good feature to extend the transparent health check type to make it possible to originate from specific IP address other than the self IP.you can open a case with F5 Support and request a CR (change request) be created (or there might already be a CR for it). This isn't a bad idea, so anyone who thinks it would be valuable, open a case to raise its visibility in Dev.

     

     

    HTH

     

    /deb
    • Woland's avatar
      Woland
      Icon for Nimbostratus rankNimbostratus
      Jan 29, 2014
      Hi! I got into the situation, where the feature mentioned by Zoltan (define a custom source IP for a monitor) would be very helpful. This thread was the only thing I was able to find about this problem. I'm on "bleeding edge" 11.4.1HF2 LTM running on Viprion vCMP. Maybe somebody has some information about that CR or even better about a new feature yet unknown to me. Sorry for reopening such an old thread. Thanks! Peter For the curious: - clients > f5 ltm > lots of routers > firewalls > server -the load balanced servers and the firewalls before them are at a remote location, people there only want to open 1 source IP for the access through those firewalls... -running a standard VS type and hiding every client request behind 1 SNAT IP which is the same as the VS IP