SNAT with Data group list

Question

Hi,&nbsp;
&nbsp;i searched the forum already and according to the posts i found i can't find the problem with my setup.
&nbsp;We use source NAT per default in our environment. therfore we have created a pool called 'ServerSNATpool'
&nbsp;As on some of our vs the traffic volume is very high i'd like to create an irule to nat certain ip addresses to a different NAT pool, mainly for troubleshooting F5 to server issues.&nbsp;
&nbsp;Here's my config&nbsp;
&nbsp;class BAC {
&nbsp;  host 213.70.140.9%1
&nbsp;}&nbsp;
&nbsp;rule BAC_NAT {
&nbsp;   when CLIENT_ACCEPTED {
&nbsp;    if {[matchclass [IP::client_addr] equals $::BAC]}{
&nbsp;      snatpool AC_TEST
&nbsp;     } else {
&nbsp;      snatpool ServerSNATpool
&nbsp;    }
&nbsp;}
&nbsp;}&nbsp;
&nbsp;snatpool AC_TEST {
&nbsp;   members 172.24.96.239%1
&nbsp;}&nbsp;
&nbsp;snatpool ServerSNATpool {
&nbsp;   members {
&nbsp;      172.24.96.240%1
&nbsp;      172.24.96.241%1
&nbsp;      172.24.96.242%1
&nbsp;      172.24.96.243%1
&nbsp;      172.24.96.244%1
&nbsp;      172.24.96.245%1
&nbsp;      172.24.96.246%1
&nbsp;      172.24.96.247%1
&nbsp;      172.24.96.248%1
&nbsp;      172.24.96.249%1
&nbsp;      172.24.96.250%1
&nbsp;      172.24.96.251%1
&nbsp;      172.24.96.252%1
&nbsp;      172.24.96.253%1
&nbsp;      172.24.96.254%1
&nbsp;   }&nbsp;
&nbsp;i have applied the Irule but even traffic from ip's listed in the group BAC is natted to snatpool ServerSNATpool.
&nbsp;I have verified this on a test VS with a tcpdump.
&nbsp;Can i set some kind of logging to see what's going wrong?&nbsp;
&nbsp;Thank you&nbsp;

chris_miller · Answer

Is this a new iRule? The rule would only be processed for new connections so if you had a proxy/firewall behind this VS that always had traffic flowing through it, the rule might never take action. 
  
 If you want to add a log statement, you could do so right underneath your "when CLIENT_ACCEPTED" event. 
  
 Something like:

log local0. "Client address was [IP::client_addr]"

quickref_74249 · Answer

Thanks for your reply. i was busy with other things that's why i reply that late. It is an existing Irule which i modified. It was already applied to the VS. I will test the logging to see what's going on.

hooleylist · Answer

If you're on 9.4.4 or higher, you should change the matchclass line to remove the $:: prefix from the datagroup name:

if {[matchclass [IP::client_addr] equals BAC]}{

You can also add another debug line inside the if statement to see which condition in the rule is being matched:

rule BAC_NAT {
when CLIENT_ACCEPTED {
    log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]"
    if {[matchclass [IP::client_addr] equals BAC]}{
       log local0. "[IP::client_addr]:[TCP::client_port]: Matched BAC datagroup, using AC_TEST snatpool"
      snatpool AC_TEST
     } else {
       log local0. "[IP::client_addr]:[TCP::client_port]: No BAC datagroup match, using ServerSNATpool snatpool"
      snatpool ServerSNATpool
    }
}
}

Aaron

Forum Discussion

SNAT with Data group list

3 Replies

Recent Discussions

Need help on i-rule to specific uri path

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Related Content

Certified Kubernetes Administrator - Study Group

SNAT IP address logging

GTM synchronization group

Intermediate iRules: Data-Groups

ha group