Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Need help. iRule to perform source NAT based on source IP is not working. Requirement is "not to NAT" when source IP is from 172.21.10.0/24 and NAT for everything else. Even when I source it from the IP subnet 172.21.10.0/24 it still ends up getting source NAT'd. 

Here is my iRule. Appreciate any help.

 

when LB_SELECTED {
    if {[IP::addr [IP::client_addr] equals 172.21.10.0/24]} {
     forward
     } else {
      snatpool SNAT-NATPOOLX
    }
}
 
I also tried a longer as well but still the same result. 
 
when LB_SELECTED {
    if {[IP::addr [IP::client_addr] equals 172.21.10.0/24] and [IP::addr [LB::server addr] equals 172.21.30.48]} {
     forward
     } else {
      snatpool SNAT-NATPOOLX
    }
}

I also tried matchclass with Datagroup for the client address but still the same result. 

 

when LB_SELECTED { 
  
    # Check if client IP is in the client_class 
    if { [matchclass [IP::client_addr] equals $::nat-exempt-srvrs]}{ 
  
       # ENABLE source NAT. This overrides SNAT on the VIP or a default SNAT 
       snat none
       forward               
    } else { 
       # DISABLE source NAT. This overrides SNAT on the VIP or a default SNAT. 
     snatpool SNAT-NATPOOLX
       }
}

 


21 Answer(s):

You shouldn't be using this command in the LB_SELECTED event. Try this instead;

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } {
    #Stop processing the iRule
     return
     } else {
      snatpool SNAT-NATPOOLX
   }
}

I tried it and still not working. The client is getting NAT'd. I'm running ver 10.2.1, don't know if this matters. Thanks.

.

Hi Spiderman,

Try something like this:
 
when CLIENT_ACCEPTED {
	if { !([class match [IP::client_addr] equals nat-exempt-srvrs]) } {
		snat automap
	}
}
I tried this previously, did not work. I tried this again, and still the same issue.
OK. Is there any SNAT configured for the Virtual Server itself? If so we'll need to disable it like so;

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } {
     #Stop processing the iRule
     snat none
     return
     } else {
      snatpool SNAT-NATPOOLX
   }
}
No SNAT configured on the VS. But the Pool has SNAT enabled. I disabled the SNAT on the pool then it works for nat-exempt-servers however it breaks for the other source IPs.
So, let's add some logging to this (assuming you can test this without it impacting your system with millions of log entries);

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } {
     log .local0 "Not NATting for: [IP::addr [IP::client_addr]"
     snat none
     #Stop processing the iRule
     return
     } else {
      snatpool SNAT-NATPOOLX
      log .local0 "SNATting for: [IP::addr [IP::client_addr]"
   }
}

Here is the log I am getting after this.
Jan 23 13:40:32 local/tmm1 info tmm1[6860]: Rule test6 : SNAT for: 10.75.134.8%2 (It does not work)
Jan 23 13:40:51 local/tmm2 info tmm2[6861]: Rule test6 : SNAT for: 172.22.10.128%2 ( It is working but not sure why it did not encounter a match prior to this and exit)

IP:addr variable was not working. So I modified the irule as below.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } {
log local0. "Not NATing for: [IP::client_addr]"
snat none
#Stop processing the iRule
return
} else {
snatpool SNAT-NATPOOLX
log local0. "SNAT for: [IP::client_addr]"
}
}

Hmmm. 172.22.10.128 is not in the 172.21.10.0/24 subnet range so I'm not sure why you expect that to match?

RE: "SNAT for: 10.75.134.8%2 (It does not work)" - What do you mean?

I see you are using Route Domains which may be significant. I'll look this up shortly.
Sorry copy paste error.

Jan 23 13:56:57 local/tmm1 info tmm1[6860]: Rule Checkin-test6 : SNAT for: 172.21.10.129%2

.

Sorry copy paste error.

Jan 23 13:56:57 local/tmm1 info tmm1[6860]: Rule Checkin-test6 : SNAT for: 172.21.10.129%2

I see why it is not working for the IPs that are outside of the 172.21.10.0/24 range. It appears the LB is not NAT'ng for all clients. Here is the tcpdump output from the real server.

TCPdump from host 10.75.134.8:
-------------------------------------
22:05:56.472602 IP 10.75.134.8.52365 > 172.21.30.48.http: S 846262350:846262350(0) win 4380
22:05:56.472649 IP 172.21.30.48.http > 10.75.134.8.52365: S 1181039792:1181039792(0) ack 846262351 win 5792

TCPdump from host 172.21.10.128 (NAT exempt IP)
22:08:24.419911 IP 172.21.10.128.49559 > 172.21.30.48.http: . ack 181 win 4560
22:08:24.420174 IP 172.21.10.128.49559 > 172.21.30.48.http: F 199:199(0) ack 181 win 4560

The LB is not NAT'ng for all IPs. IP address comparison statement does not appear to produce the intended result.
Sorry Spiderman but I'm completely lost. It's not clear what the issue is here?
Steve,
Sorry I was working on the issue with F5 support. It is not working. Either it NATs for all IPs or does not NAT. We tried all the above iRules but did not have success. The support team was unsure why it did not work suspect something possibly with the use of route domains. We added a work around as below:

when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.21.10.0%2/24] } {
} else {
snatpool SNAT-NATPOOLX
}
}
is this relevant?

sol12301: The 'class' iRule command does not honor route domain specifications within an IP class
http://support.f5.com/kb/en-us/solutions/public/12000/300/sol12301.html
Yes, thank you. It matches the solution that was derived with F5 TAC. Nitass and Steve thank you for your help. BTW, is this issue resolved in 11.x code train?
BTW, is this issue resolved in 11.x code train?
it has not yet been fixed in 11.3.0.

Bug 337222 - iRule class command does not honor route domain specifications in class
Spiderman, glad it's fixed, I never picked up on the use of RDs. Glad it's working.

Your answer:

You must be logged in to reply. You can login here.