Forum Discussion

Thomas_Knutson_'s avatar
Thomas_Knutson_
Icon for Nimbostratus rankNimbostratus
May 19, 2011

iRule to autonat for specific client subnets

We have a need to have certain client requests use the autonat function, specifically for devices on our internal subnets that call our virtual servers. For example, we want to only use autonat for 10.10.10.0/24 subnet clients, and not use it for everything else. Is this possible with an iRule, or should I be looking down another path? I have been searching the forums, but have not had much luck yet and may be using incorrect search syntax. Would anyone be able to point me in the right direction, or give me an example of some syntax to use?

 

 

 

 

 

Tom

 

basic
getting started
new to f5

4 Replies

Sort By
  • Thomas_Knutson_'s avatar
    Thomas_Knutson_
    Icon for Nimbostratus rankNimbostratus
    May 19, 2011
    I did some more looking around, and think I may have been able to adapt an iRule to acomplish this. Will the iRule below work, or is there a better way for me to write it?

     

     

     

     

    when CLIENT_ACCEPTED {

     

    if { [IP::addr [IP::remote_addr] equals xx.xx.xx.xx/24] } {

     

    snat automap

     

     

     

    } elseif { [IP::addr [IP::remote_addr] equals yy.yy.yy.yy/24] } {

     

    snat automap

     

     

     

    } elseif { [IP::addr [IP::remote_addr] equals zz.zz.zz.zz/24] } {

     

    snat automap

     

     

    } else {

     

    return

     

    }

     

    }

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 19, 2011
    Hi Thomas,

    I'd add the three networks to an address datagroup and then use the class match command to see if the client IP is in the datagroup ranges: 

    
when CLIENT_ACCEPTED {
    Check if the client IP is in the client_ip_class datagroup
   if {[class match [IP::client_addr] equals client_ip_class]}{
      snat automap
   }
}

    Aaron
  • Thomas_Knutson_'s avatar
    Thomas_Knutson_
    Icon for Nimbostratus rankNimbostratus
    May 19, 2011
    Aaron,

     

     

    Great, I will give that a try instead of my original iRule. By using a datagroup, will that cause the iRule to perform better? I'm still getting the hang of these devices, and sometimes am unsure of weather to use a datagroup or not when building rules?

     

     

     

     

     

    Thomas

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 19, 2011
    A class lookup against a datagroup should be more efficient in most cases. See Joe's article here for complete details:

     

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086424/Comparing-iRule-Control-Statements.aspx

     

     

    Aaron