iRule for using SNAT and Next-Hop for specific pool member only

Question

I have a unique situation that I believe could be solved with an iRule, but I need some help.  &nbsp;
We have two DMZ's - Production and DR.  Each DMZ has an F5 LTM.  In each DMZ we are setting up Google Proxy appliances.  What is unique is that we want the failover to be as seemless as possible in the event of an appliance failure.  Our original idea was to use Priority Group Activation and put both the Prod Google Appliance and the DR Google Appliance (one in each DMZ), in each pool for the Google Search VIP's (DR and Prod).  The local appliance has the LTM as it's default gateway, so it doesn't require a SNAT.  The remote appliance, of course, does not and will require a SNAT.  Also we need to tell the F5 where to send the traffic for the next hop if the remote appliance is chosen in the pool. &nbsp;
We want to apply a SNAT and directions for the next-hop, if the remote appliance is chosen in the pool.  Can anyone offer any guidance in writting this iRule?  Are we approaching this with the right idea, is an iRule the right way to solve this?  Any help appreciated.&nbsp;

nitass · Answer

you can enable/disable snat after server is selected in LB_SELECTED.
e.g.
 floating self ip (snat automap)

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list net self 200.200.200.14/24
net self 200.200.200.14/24 {
    address 200.200.200.14/24
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan internal
}

config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 41
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
        200.200.200.111:80 {
            address 200.200.200.111
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when LB_SELECTED {
  switch [LB::server addr] {
    200.200.200.101 { snat automap }
    default { snat none }
  }
}
when SERVER_CONNECTED {
  log local0. "[IP::local_addr]:[TCP::local_port] &gt; [IP::remote_addr]:[TCP::remote_port]"
}
}

test

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Jun  5 07:56:09 ve11a info tmm1[9801]: Rule /Common/qux SERVER_CONNECTED: 200.200.200.14:44267 &gt; 200.200.200.101:80
Jun  5 07:56:11 ve11a info tmm[9801]: Rule /Common/qux SERVER_CONNECTED: 172.28.24.1:44268 &gt; 200.200.200.111:80

heidi_35827 · Answer

Thank you!  We may have solved the next-hop issue with a static route, but still looking to do the SNAT only on the one node.  Will use the LB_SELECTED idea a go and let you know.&nbsp;

Forum Discussion

iRule for using SNAT and Next-Hop for specific pool member only

2 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Can a floating IP be the next hop for routing?

SNAT and Next hop based on Node address

DevCentral's Featured Member for February - Edouard Zorrilla

DevCentral's Featured Member for March - Thomas Dahlmann

DevCentral's Featured Member for April - Mihai Cziraki