Forum Discussion
Chris_Phillips
Mar 10, 2006Nimbostratus
Thanks for the ideas. I was thinking about seperate snat and non-snat rules, but when you're looking at it in a live environment it doesn't seem too acceptable to have a dns server one side of a router, and a different one for the other side...
I think i'm going to be looking at a matchclass for the time being, containing my server side subnets. Ultimately i'll never ever know all the addresses i could be coming from but a can check whether client and destination and both in or out of a class.
What about this:
when LB_SELECTED {
set ::client_match [matchclass [IP::client_addr] equals $::server_networks]
set ::server_match [matchclass [LB::server addr] equals $::server_networks]
if { $::client_match == 0 and $::server_match > 0 } {
return
} elseif { $::client_match > 0 and $::server_match == 0 } {
return
}
snatpool mt_snatpool
}
Ugliness here rises from there being no XOR operator as far as i am aware and the matchclass returning the number of the entry in the list if there is one, and not just 0 and 1 (otherwise you could add the two results and see if it still equals 1).
Unless i'm missing something fundamental this sort of logic would need to apply to virtually EVERY single connection in order to avoid SNAT's when possible, but add automatically otherwise. Luckily my "internal" networks are finite and small, so is still manageable, but it's still not as nice as being able to check outright if they are on the same side of the box. As i am using an internal and external vlan joined on a vlan group that seems like a shame. I can see what vlan my client is coming from, but can't for the server part of it.
Thanks