Posted By Rick Turner on 07/15/2010 02:20 PM
Thanks for the replies. I've had a couple conversations with my SE and he has encouraged us to perform the SNAT against a virtual server rather than all traffic like I was driving. There are pros and cons for both directions. The SE is conviced that this will be more difficult than SNAT against a virtual. He did come back with an iRule that SNATs to the virtual address rather than the SNATPOOL. I like this in that it virtually eliminates my concern to running out of ephemeral ports. This tested out nicely in my lab.
when LB_SELECTED {
set ClientIP [clientside {IP::remote_addr}]
set VirtualIP [clientside {IP::local_addr}]
set NodeIP [LB::server addr]
log local0. "Client: $ClientIP VIP: $VirtualIP Node: $NodeIP"
if { [IP::addr $ClientIP/24 equals $NodeIP/24] } {
log local0. "Going to SNAT Client: $ClientIP to VIP: $VirtualIP targeting Node: $NodeIP"
snat $VirtualIP
}
}
I hear a lot of SEs recommending this method now as it makes logging easier since you'll know for which VIP your traffic is sent. I'm not sure how this helps with port exhaustion since you're now limited to a single IP and it's associated 64.5K ports versus a SNAT pool to which you could add IPs whenever you want.
Also, why is he recommending using the LB_SELECTED event here rather than CLIENT_ACCEPTED?
Finally - why do we need to set variables to things that are already in memory...Why can't we simply use local_addr, server_addr, and remote_addr for our test?
Anywho - looking forward to hearing Hoolio's thoughts.