Forum Discussion

wixxyl_98682's avatar
wixxyl_98682
Icon for Nimbostratus rankNimbostratus
Jul 31, 2012

Do I need iRule and SNAT?

I'm very new to the F5's and the iRules especially. The iRules seem to be a very powerful tool, I'm amazed at what I'm finding out about using them. I'm a tad confused on how I can use them in my environment. What I'm trying to accomplish is to establish two external VLANs (828,829) to connect up with a Juniper firewall serving as the gateway for the subnets. The 828 will be a public facing internet connection for users connecting to a server farm located behind the firewall. The 829 VLAN is almost a mirror, but is set up for users located behind the firewall. These VLANs will terminate at the F5 and then traverse onto the 810 VLAN. The F5 should appear as a host to the other servers and they should pass traffic back to the F5 in a round robin fashion. The F5 will be doing SSL offloading to alleviate some of the pressure on the servers. My question is will the F5 require a SNAT to do that, or could I use an iRule in the place of the SNAT? I've got the F5 in place between the server farm and the firewall, all is pingable, all VLANs are working, I just can't get it to translate the traffic. I know this will be a very simple question for someone with experience to figure out, I just don't have the knowledge yet to get it working. I'm also going to post an iRule I was thinking might work, if anybody could point out what's wrong with it. I haven't implemented it yet, so I'm not sure if it will work or not.

 

 

when CLIENT_ACCEPTED {

 

 

if { [matchclass [IP::local_addr equals 172.17.139.0/24] } {

 

pool "Banner_INB_Pool"

 

} elseif { [matchclass [IP::local_addr] equals 128.192.225.0/24] } {

 

pool "Banner_SSB_Pool"

 

 

Thanks for looking over this post, I'm sort of in a bind to get this working and going, which is difficult without detailed training. If anyone has any suggestions, I would be veeeeeeeery grateful.

 

 

Thank you,

 

John

 

5 Replies

  • Hi wixxyl,

     

     

    If the Juniper Firewall is serving as the Gateway for the subnets then you will need to SNAT. By default, any subnet NOT owned by the BIG-IP will require you to SNAT. This is so that the traffic will return to the BIG-IP and be re-routed back to the originator.

     

     

    Without SNAT you would be looking at a broken route.

     

     

    You should be able to enable SNAT on the Virtual Server and not need it in an iRule.

     

     

    You can Enable SNAT in an iRule but this is mostly used when a portion of your traffic is going to a different network (there are other scenario's, but I will stick to the topic. I am sure you will discover the other situations in the future).

     

     

    Hope this helps.
  • So if I'm setting up one virtual server IP address to service two pools, should I set up different route domains so that I could specify the source port and address of the internal vs the external clients, or is this unnecessary? I'd like to be able to say: if the client is coming from anywhere except this internal subnet using https, translate this to your own ip and send it to the server listening on this port. I haven't found a way to specify what source port the SNAT should work on for translation, unless I'm just missing it somewhere?
  • i dont see how ports come into play here. is this an addition to the first post? you could do something with an iRule and send in certain cases to a specific pool. if you enable SNAT AutoMap on the virtual server you could turn it off in the iRule when not needed.

     

     

    iRule snat: https://devcentral.f5.com/wiki/irules.snat.ashx

     

     

    your iRule has some issues, specially on the brackets. also matchclass is used for comparison against a datagroup, which you dont seem to use. i would repost the full iRule in the iRule forum and ask for feedback there.

     

     

  • Really the ports only come into play on the SNAT redirection. I did neglect to mention that, I apologize. There should be separate web pages for external clients versus internal clients. I think I can simplify this to have it work as follows. Clients connecting from every subnet except our internal IP ranges, should be sent to this pool, SNAT to the virtual server and change the port to this. so it would look like the iRule below I think (this is rather difficult to explain outside of my own head...), but here goes. Thank you for the link too, this is where I got this iRule from, it looks like what I've been looking for, assuming my syntax is correct. The other thing I could look at is using a table lookup for all of my internal IP's (I'm not sure how many ranges we have here, I've only been here a month...) but that is another thing to try later on, I'm mainly trying to get the first part working now.

     

     

    when CLIENT_ACCEPTED {

     

    if { [IP::addr [IP::local_addr] equals 172.17.139.0/24] and [TCP::local_port] == 443] }{

     

    snat 172.17.140.100 9099

     

    else

     

    snat 172.17.140.100 9030

     

    }

     

    }
  • SNAT means you set your source address, it doesn't affect a destination port which it seems you are trying to do.

     

     

    to point to different destination ports just create two pools with the servers on different ports.