Forum Discussion

Raymond_Feng_97's avatar
Raymond_Feng_97
Historic F5 Account
May 10, 2007

can I snat all the outbound traffic to be one special source port?

Hi, All

 

I need to write one irules . There is one UDP VS 200.1.1.1:5060 to load balance two serverA and ServerB, I need to write one irules , snat serverA and ServerB outgoing traffic to use source IP 200.1.1.1 and source port 5060.

 

By now, I can use " snat 200.1.1.1" in irules to let outgoing sourceIP to be 200.1.1.1, but I can't set outgoing source port to be just 5060. When the two server both send out udp package using 5060 source port, our LTM will change one to be other source port.

 

My question is, do we have any solution to let LTM send out traffic using one special port?

 

 

Thanks.

 

Raymond
application delivery
dev
devops
iRules

8 Replies

Sort By
  • Raymond_Feng_97's avatar
    Raymond_Feng_97
    Historic F5 Account
    May 14, 2007
    No solutions? Radware can do these!!! This will cause F5 lose all china mobile SIP application!

     

    Let me explain the application :

     

    China Mobile standard asked the both client and server need to use port 5060 as the source port.So that means, all the traffic no matter from clientA to proxy SIP server or from SIP server to ClientB, will use 5060 as source port and destination port. When we do SIP proxy load balance, the SIP proxy server outbound invite clientB message will be SNAT to virtual server address, BUT our LTM can't keep the source port to be 5060 if all the servers use 5060 as source port. Radware SIP solution by now can support that function.

     

     

    Somebody will ask why must use 5060 as source port, just because this standard can pass through all the Firewall and can allow both sip client and sip proxy behind any firewall NAT.

     

     

    My question is, is there any avialable solution for our LTM to support that?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 14, 2007
    I've never tried it, but the snat command does take a port argument:

     

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/snat.html

     

     

    snat [] | none | automap

     

     

     

     

    In theory, this might allow you to specify the source address and port for connections to the node(s).

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 14, 2007
    Actually from re-reading your first post, it sounds like you're already using this option. Is the command working when there is traffic being sent to just one of the two nodes? Is the source port changing when TMM is trying to send packets to both nodes at the same time?

    Edit:

    I tested using this rule and saw all packets being sourced from the expected SNAT IP and port:

    
when CLIENT_ACCEPTED {
   snat 192.168.101.41 666
}

    
15:25:32.645434 802.1Q vlan4093 P0 192.168.101.41.666 > 192.168.101.45.200: udp 17 (DF)
0x0000   0ffd 0800 4500 002d 73b6 4000 ff11 bc61        ....E..-s.@....a
0x0010   c0a8 6529 c0a8 652d 029a 00c8 0019 2306        ..e)..e-.......
0x0020   686f 7374 2031 2c20 636c 6965 6e74 2031        host.1,.client.1
0x0030   0a00                                           ..
15:25:32.887513 802.1Q vlan4093 P0 192.168.101.41.666 > 192.168.101.45.100: udp 7 (DF)
0x0000   0ffd 0800 4500 0023 73b9 4000 ff11 bc68        ....E..s.@....h
0x0010   c0a8 6529 c0a8 652d 029a 0064 000f ab14        ..e)..e-...d....
0x0020   686f 7374 2032 0a00 0000 0000 0000 0000        host.2..........
0x0030   0000                                           ..
15:25:34.418260 802.1Q vlan4093 P0 192.168.101.41.666 > 192.168.101.45.200: udp 17 (DF)
0x0000   0ffd 0800 4500 002d 73c5 4000 ff11 bc52        ....E..-s.@....R
0x0010   c0a8 6529 c0a8 652d 029a 00c8 0019 2305        ..e)..e-.......
0x0020   686f 7374 2031 2c20 636c 6965 6e74 2032        host.1,.client.2
0x0030   0a00                                           ..
15:25:34.983116 802.1Q vlan4093 P0 192.168.101.41.666 > 192.168.101.45.100: udp 7 (DF)
0x0000   0ffd 0800 4500 0023 73ca 4000 ff11 bc57        ....E..s.@....W
0x0010   c0a8 6529 c0a8 652d 029a 0064 000f ab14        ..e)..e-...d....
0x0020   686f 7374 2032 0a00 0000 0000 0000 0000        host.2..........
0x0030   0000                                           ..

    Aaron
  • Raymond_Feng_97's avatar
    Raymond_Feng_97
    Historic F5 Account
    May 15, 2007
    haha, thanks, by now the testing seems ok , but I need to find some tools to generate continuous packets from 2-3 servers.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 15, 2007
    If you have *nix boxes or hosts with cygwin installed, you can use something like this (where 1.1.1.1 is the VIP and 100 is the port) to send a packet every 5 seconds with a payload indicating the packet is from host 1, client 1.

     

     

    while true; do echo 'host 1, client 1'|nc -u 1.1.1.1 100; sleep 5; done

     

     

    Aaron
  • Raymond_Feng_97's avatar
    Raymond_Feng_97
    Historic F5 Account
    May 15, 2007
    haha, I just use our bigip. Can you help me to write one shell script to generate 1000 udp packets without delay ( 1 second to too slow )
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 15, 2007
    This should send 1000 sequential requests without a delay:

     

     

    for i in `seq 1 1000`; do echo 'host 1, client 1 test $i'|nc -u 1.1.1.1 100; done

     

     

    Aaron
  • Raymond_Feng_97's avatar
    Raymond_Feng_97
    Historic F5 Account
    May 30, 2007
    I have done the testing. And got the result below:

     

    1> yes, we can use "snat A.b.c.d 5060" to set the source port, but when two internal server use the same source port out, LTM will automatic change one's source port

     

    2> by now , I just set the ourbound forwarding virtual server fastL4 profile to be timeout immediately, then no connection for the snat, so that no sourceport change problem.