Forum Discussion

Oleg_68900's avatar
Oleg_68900
Icon for Nimbostratus rankNimbostratus
Feb 10, 2009

Two ISP – how to configure outbound traffic.

Setup

 

Two ISP (external subnets A & B respectively)

 

 

VLANS

 

internal (subnet X)

 

external (subnets A)

 

external2 (subnets B)

 

 

LTM default gateway (DGW) points to ISP A

 

 

All inbound virtual servers configures in pairs:

 

Two virtual servers: a1 & b1 (on subnets A & B respectively)

 

One pool serving requests for both a1 & b1

 

It works just fine.

 

 

 

For outbound traffic I want to be able to create deferent SNATs (with IP a2 & b2) for different internal IPs

 

For example:

 

x1 (internal server) uses a2 and

 

x2 (another internal server) uses b2.

 

 

 

snat a2 {

 

translation a1

 

vlans internal enable

 

origins

 

x1

 

}

 

 

snat b2 {

 

translation b2

 

vlans internal enable

 

origins

 

x2

 

}

 

 

snat a2 works fine

 

snat b2 doesn’t work

 

*LTM default gateway points to ISP A

 

 

What do I need to do make snat b2 work?

 

I guess, I can change LTM DGW to point to B, but snat a2 will stop working than…

 

 

I do need “more than one” SNATs on both A & B…

 

 

5 Replies

  • You need to create a pool with both gateways and use that pool as the LTM default gateway. That way it will use the correct gateway for whichever SNAT is used.

     

     

    Denny
  • Danny,

     

    I tried that before.

     

    I was thought, I need gateway pool to auto last hop work properly.

     

    Turned out – auto last hop works fine with default gateway set to IP on A subnet.

     

     

    But having gateway pool instead of IP result in much longer outbound access for A subnet, and didn’t resolve B outbound issues.

     

    I’m I missing something?

     

    Do I need any forwarding servers at all?

     

  • I made few more tests:

     

    1. Create & assing gateway pool with one member only – DGW for subnet A

     

    Hosts SNATed to subnet A work

     

    Hosts SNATed to subnet B doesn’t work

     

    I.e. works, as expected, exactly the same way as DGW set to IP in subnet A

     

     

    2. Did same for B – again, as expected, works for B but not for A.

     

     

    Now,

     

    3. LTM DGW is set to gateway pool with two members – DGWs for subnet A & B

     

    It works for both subnets, A & B, but the browsing is extremely slow.

     

    Ping always times out, and that why I thought it won’t work at all.

     

    I was just not patient enough. :-)

     

     

    Overall result – yes it works, but it’s unacceptable.

     

     

    I assume something is wrong with my configuration.

     

    Gateway pool load balancing method is Round Robin – does it matter at all?

     

    Both SNAT & NAT translation are disabled.

     

    I tried changing SNAT & NAT in cases 1 & 2 – they make no difference.

     

    Browsing is very fast in both 1 & 2.

     

     

    Still wondering what I might be missing?

     

  • A little more info:

     

    In case 3 (LTM DGW is set to gateway pool with two members – DGWs for subnet A & B)

     

     

    Firewall between A and “outside world” shows packets with Source Addresses from both

     

    A & B subnets. Obviously, only ones from A get their responses.

     

    I don’t have access to firewall B, but I guess it should be very similar picture – hence very slow browsing – it keeps retrying until hit “right gateway”.

     

  • v9 has nice debugging mechanism called iRules. :-)

     

    I wrote simple rule to log packet IPs, ports and next/last hops

     

    Log shows, in case 3 LTM choose gateway absolutely randomly (or should I say “round robin”?)

     

     

    The only way to make it work is to use very same iRules to assign appropriate gateway.

     

    With iRules everything works just fine, but it’s somewhat impractical as there is no way to script them - at least I don’t know how.

     

     

    Back to original problem:

     

    Default gateway pool with 2 gateways doesn’t work at all.

     

    I guess, it should – there is no big deal to compare SNATed IP with available gateways and choose the right one.

     

    The one difference between my config and average Joe – subnet B is /26 and A is /24

     

    Anyway, SNATed IP and gateway both belong to the same subnet – even iRules won’t help otherwise…

     

     

    The good thing about it – it made me learn a little bit of iRules ;-)