Question on LTM Wild Card Virtual Servers

Question

If a host (with a BigIP as its default gateway) establishes a new connection to the BigIP, in what order will it apply Virtual Server, SNAT, Wild-Card Virtual Server configurations? 
  
 Our situation: 
  
     We currently have multiple hosts behind our LTM devices that not only serve requests via Virtual Servers, but also communicate directly to some of the client hosts.  Due to infrastructure requirements, (an effort to keep the number of participants in our routing infrastructure low), the LTM does not have an active part in routing, and currently drops all traffic on the floor that is not either a response, or covered by a SNAT.   
  
     This means that any clients communicating through the VIP (which get routed back to the LTM via static routes), can only communication via the BigIP (and therefore losing direct communication with the application servers), unless we add a SNAT for the client host (which requires additional static routes on the client machines).   
  
     We're looking to change this by using a wild-card virtual server for each VLAN, with an iRule that would either SNAT the traffic outbound, or force the traffic to the router for that VLAN.  This would coincide with making the LTM the default gateway for all of these machines.  I've seen some of the other multi-gateway routing threads, and wondered if the LTM would work like this: 
  
 VIRTUAL SERVER :                  
     Is the destination IP a virtual server I host? 
         Yes, send traffic to the virtual server. 
         No, fall to SNAT. 
 SNAT:                                      
     Do I have a SNAT rule for this source IP? 
         Yes, use the SNAT. 
         No, fall to Wild Card Virtual Server (WC-VS). 
  
 WC-VS:                                    
      Use an iRule to determine how to process the traffic (iRule below).

iRule                        
  
 Pre-defined Classes / Data Groups: 
  
       routed_network_list 
            = List of ip/subnets that require a routable address 
       local_srvr_list                         
            = List of Servers that need to be SNAT’ed to allow direct machine to machine communication.

when CLIENT_ACCEPTED { 
     if { [matchclass  [ip::remote_addr] equals $::routed_network_list ] } { 
         // SNAT traffic to the routable networks 
         snat 64.x.x.52 
     } elseif { [matchclass  [ip::remote_addr] equals $::local_srvr_list ] }{ 
         // SNAT traffic to the other internal machines 
         snat 10.10.8.3 
     } else { 
         // drop to the default router for this VLAN. 
         node 10.10.8.1 
     } 
 }

If not, how does it decide what to apply first? Does this seem like a reasonable approach, or is there a better way to achieve what we are looking for?

hooleylist · Answer

The precedence (Click here) for matching would be the most specific VIP, then the wildcard VIP, then the SNAT.  The SNAT will take effect if there isn't a SNAT setting enabled on the VIP and/or pool.  If you use a rule to specify a SNAT it will override both the SNAT options on the VIP and/or pool as well as a default SNAT. 
  
 To simplify the troubleshooting process if the above rule and classes don't work, you could add logging:

when CLIENT_ACCEPTED {  
    log local0. "[IP::client_addr]:[TCP::client_port]: new connection to [IP::local_addr]:[TCP::local_port]" 
    if { [matchclass  [ip::remote_addr] equals $::routed_network_list ] } {  
        SNAT traffic to the routable networks 
       log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::routed_network_list" 
       snat 64.x.x.52 
    } elseif { [matchclass  [ip::remote_addr] equals $::local_srvr_list ] }{  
        SNAT traffic to the other internal machines  
       log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::local_srvr_list" 
       snat 10.10.8.3  
    } else {  
        drop to the default router for this VLAN.  
       log local0. "[IP::client_addr]:[TCP::client_port]: default" 
       node 10.10.8.1  
    } 
 } 
 when SERVER_CONNECTED { 
    log local0. "[IP::client_addr]:[TCP::client_port]: connected to [IP::remote_addr]:[TCP::remote_port]" 
 }

Aaron

deb_allen_18 · Answer

&nbsp; Great explanation, hoolio, thanks.  Can you clarify this comment, though?The SNAT will take effect if there isn't a SNAT setting enabled on the VIP and/or pool. &nbsp;

hooleylist · Answer

Hey Deb, 
&nbsp;  
&nbsp; I was mashing up two separate thoughts.  I believe a SNAT enabled on a VIP will take precedence over a default SNAT.  And if SNAT is enabled globally or on the VIP, I think it will be disabled if SNAT is disabled on the pool that is used.  Does that sound about right? 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Question on LTM Wild Card Virtual Servers

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM

virtual server config

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Three Ways to Specify Multiple Ports on a Virtual Server