Forum Discussion

samir_110997's avatar
samir_110997
Icon for Nimbostratus rankNimbostratus
Nov 10, 2007

PLEASE HELP SNAT conditionnel and traffic redirection

 

hi everybody,

 

 

as i'm not familiar with i-rules, i really need you help to correcte my i'rule cause the site is at risk.

 

 

I have created a strandard virtual serveur for the http traffic (80) and an i'rule so as to redirect all the traffic http to the second Internet provider ISP2, but there is only one exeption for three servers where the trafic http for theses servers should be directed to the first Internet Provider ISP1 and must be natted differently.

 

 

thes is my irule:

 

 

 

when LB_SELECTED {

 

if { [IP::addr [IP::client_addr] equals 172.24.95.139 ] } {

 

snat 196.29.40.139

 

pool Pool_Routeur_ISP1

 

} elseif { [IP::addr [IP::client_addr] equals 172.24.95.133 ] } {

 

snat 196.29.40.133

 

pool Pool_Routeur_ISP1

 

} elseif { [IP::addr [IP::client_addr] equals 172.24.95.135 ] } {

 

snat 196.29.40.135

 

pool Pool_Routeur_ISP1

 

} elseif { [TCP::local_port] == 80 } {

 

pool Pool_Routeur_ISP2

 

} elseif { [TCP::local_port] == 443 } {

 

pool Pool_Routeur_ISP2

 

} else {

 

snat automap

 

}

 

 

}

 

 

 

thanks for all in advance
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Nov 10, 2007
    Sounds like you're LB'ing outbound links?

    And the flow I think you are describing is:* All HTTP/S traffic for 3 clients will be sent out ISP1 with unique SNATs

    * All other HTTP/S traffic will be sent out ISP2 with auto SNAT

    * All non-HTTP/S traffic will be load balanced to the default pool (not managed by the rule).

    I'd recommend creating a class list (data group list) of type string containing the list of servers you want to send through ISP1 and their SNAT addresses. It's easier to maintain the class than to modify the rule if things change.
    class ISP1_server_SNATs {
  172.24.95.139 196.29.40.139
  172.24.95.135 196.29.40.135
  172.24.95.133 196.29.40.133
}

    Then this rule would be applied to a forwarding virtual server enabled on the server vlan to direct traffic as you describe (comment out log lines after verifying):

    when CLIENT_ACCEPTED {
 if { ([TCP::local_port] == 80) || ([TCP::local_port] == 443) } {
   set mySNAT [findclass [IP::client_addr] $::ISP1_server_SNATs " "]
   if { $mySNAT != "" } {
     log local0. "SNATing [IP::client_addr] to $mySNAT over ISP1"
     snat $mySNAT
     pool Pool_Routeur_ISP1
   } else {
     log local0. "SNATing [IP::client_addr] to auto SNAT over ISP2"
     snat automap
     pool Pool_Routeur_ISP2
  }
}

    HTH

    /deb
  • samir_110997's avatar
    samir_110997
    Icon for Nimbostratus rankNimbostratus
    Nov 11, 2007
    I get an error when applying the i-rule please can anyone have an idea about this:

     

     

     

    01070151:3: Rule [F5_Traffic] error:

     

    line 1: [undefined procedure: class] [class ISP1_server_SNATs {

     

    172.24.95.139 196.29.40.139

     

    172.24.95.135 196.29.40.135

     

    172.24.95.133 196.29.40.133

     

    }]

     

    line 7: [parse error: missing close-brace] [{

     

    if { ([TCP::local_port] == 80) || ([TCP::local_port] == 443) } {

     

    set mySNAT [findclass [IP::client_addr] $::ISP1_server_SNATs " "]

     

    if { $mySNAT != "" } {

     

    snat $mySNAT

     

    pool Pool_Routeur_ISP1

     

    } else {

     

    snat automap

     

    pool Pool_Routeur_ISP2

     

    }

     

    }]

     

    line 8: [command is not valid in the current scope] [if { ([TCP::local_port] == 80) || ([TCP::local_port] == 443) } {

     

    set mySNAT [findclass [IP::client_addr] $::ISP1_server_SNATs " "]

     

    if { $mySNAT != "" } {

     

    snat $mySNAT

     

    pool Pool_Routeur_ISP1

     

    } else {

     

    snat automap

     

    pool Pool_Routeur_ISP2

     

    }

     

    }]

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 12, 2007
    The datagroup (called a class in the bigip.conf) definition should be separate from the iRule. You can create a datagroup in the GUI under Local Traffic >> iRules >> Datagroup List.

     

     

    Aaron