Internet access doesnt work with LB as gateway and snat disabled but if we use a snatpool it works. Does anybody know why?

That depends on how your NAT is setup. Can you post the CLI configuration please?

The NATed address will be the IP address configured in the SNAT pool.

As Nathan said.

Keep in mind, if the snatpool you're using for outbound traffic has more than one IP, the outbound NAT'd IP address could be any of the IPs in that snatpool. It will not necessarily always be the same IP address.

Jason

So a couple of things going on here that might be causing problems. 1. is the F5 the network gateway for the box that is trying to access the internet? If it's not, and you're not using snat, the F5 will be bypassed on the return (synack).. depending on your config, this could be the problem. 2. there could be rules restricting what addresses are permitted out to the internet. The snat addresses might be permitted, but the client address may not be. Again, depending on configuration.

But let's start with some really basic stuff.. 1. is the client addressed with a public address (ie, not 10.x.x.x or 192.168.x.x or etc) address? 2. is the snat address public? 3. is something else in the path that is doing filtering? 4. is there something else in the path doing address translation public to private? 5. is the f5 the default gateway for the client network?

Ok here are the answers:

1. Snatpool has only one ip address.
2. LB is the default gateway and both the client and snat addr are private since we have a firewall in front of LB.
3. Firewall is allowing the complete subnet that includes client pool members, lb self ips and vip subnet.

So the outbound traffic without snatpool will have the client as the source ip addr but i dont see that traffic hitting the firewall. But when snat pool is enabled, it goes through to the internet using firewall pat ip addr. It seems that LB is dropping traffic initiated from pool members if we dont enable snat.

I think you may need to post the config of your Forwarding Virtual Servers. This sounds like a one armed configuration, and if the BigIP is the gateway, you will need to allow loose initiation on the forwarding Virtual Server to allow responses to traffic generated directly to the servers. Also, get a traffic capture so you can match up your traffic and which VS is processing it.

tcpdump -X -npi 0.0:nnn -s 0 host 1.2.3.4 (of course change this to your test host)

It will show you the VS name that is processing traffic, highlighted in bold below. If this listener is blank, then the BigIP could not match the traffic to an acceptable VS.

14:29:57.186546 IP xx.xx.xx.xx.10095 > xx.xx.xx.xx.http: R 1:1(0) ack 1 win 0 out slot1/tmm3 lis=dev.my.host flowtype=64 flowid=987FB00 peerid=0 conflags=124 inslot=0 inport=0 haunit=1 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

I agree with Chris. There's one more thing that could be an issue. Does the FW have an interface on the same network as the server that's trying to get to the internet?

Might be a good idea to give us a look at the config for the FWD as well as an idea of the physical connections involved.