Forum Discussion

TCP179_220919's avatar
TCP179_220919
Icon for Nimbostratus rankNimbostratus
Feb 14, 2016

Selective SNAT iRule

Hello,

 

I have LC+LTM to load-balance the outbound traffic across different ISPs, and I want to use different snatpool for the outbound traffic for each ISP; i.e ISP1 will use snatpool ISP1, ISP2 will use snatpool ISP2, etc. I have just used the following iRule but I think this won't work as the address translation is disabled on the VS.

 

when LB_SELECTED {

 

switch {[IP::addr [LB::server addr]]} {

 

"Next-Hop Router's IP for ISP1" { snatpool Snat_ISP1 }

 

"Next-Hop Router's IP for ISP2" { snatpool Snat_ISP2 }

 

"Next-Hop Router's IP for ISP3" { snatpool Snat_ISP3 }

 

}

 

}

 

Is there a way to achieve the same goal using the outgoing vlan (each ISP has it's own vlan)? Other suggestion is to have snatpool IPs configured as additional floating IPs on the respective vlan, what do you think ?

 

Thanks in advance.

 

TCP179

 

application delivery
iRules
LTM

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 15, 2016

    Hey TCP179,

    there was a very similiar question a few weeks ago. The outcome of the request was to use the snippet below...

    when CLIENT_ACCEPTED { 
    log local0. "VS Reached"
    if { ( [IP::addr [IP::client_addr] 10.32.1.192/26] ) or 
         ( [IP::addr [IP::client_addr] equals 10.32.2.0/26] ) } then {
        snat X.X.X.203
        nexthop X.X.X.201 
        log local0. " -- SNAT CUSTOMER2 -- "
    } elseif { ( [IP::addr [IP::client_addr] 10.32.3.192/26] ) or 
         ( [IP::addr [IP::client_addr] equals 10.32.4.0/26] ) } then {
        snat X.X.X.103
        nexthop X.X.X.101
        log local0. " -- SNAT CUSTOMER3 -- "
    } elseif { ( [IP::addr [IP::client_addr] 10.32.5.192/26] ) or 
         ( [IP::addr [IP::client_addr] equals 10.32.6.0/26] ) } then {
        snat X.X.X.13
        nexthop X.X.X.11
        log local0. " -- SNAT CUSTOMER4 -- "
    } else {
        log local0. " -- SNAT DEFAULT -- " 
    } 
}

    Note: The iRule has to be attached to a "Forwarding (IP)" virtual server. You can change the 

    [SNAT]
    's to become a 
    [SNATPOOL]
    's. as you like.

    Note: Before going the iRules route you may also check if using different "Route Domains" may fit to your scenario. Its much more elegant... https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_redundant_systems_config_11_0_0/6.html

    Note: The link to the original post is https://devcentral.f5.com/questions/irule-snat-for-multiple-isp

    Cheers, Kai