Forum Discussion

Jason_Roppolo_3's avatar
Jason_Roppolo_3
Historic F5 Account
May 15, 2006

iRules and SNAT

All,

 

 

I was wondering if I could get some assistance with an issue:

 

 

I have a rather large customer that is trying to replace several Alteon Switches, but we are having one issue. They have several servers that are multihomed with IP's on the same subnet as the Big-IP, but the resource needed is on another NIC/Subnet on that server. When packets arrive they are routed to the other NIC (Same Subnet as the BIG-IP) on the server creating an asynchronous route. Easy enough right? Add a host route? Well that breaks about 10 other apps so what I am looking for is an iRule that says when a connection is made outbound through a forwarding virtual from one server to another then use a particular SNAT. Any help on this would be greatly appreciated!!!
application delivery
dev
devops
iRules

4 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 15, 2006
    boolean logic :

     

     

    if { (condition 1) && (condition 2) } {

     

    statement 1

     

    }

     

     

    or nested if statement

     

     

    if { (condition 1) } {

     

    if { (condition 2) } {

     

    statement 1

     

    }

     

    }

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    May 15, 2006
    Local address is a given based on the virtual to which the rule is applied.

    This syntax should work:

    when CLIENT_ACCEPTED {
  if {[IP::addr [IP::remote_addr] equals x.x.x.x/24] ) {
    snat y.y.y.y
  }
}
    This version allows a comparison to a subnet for flexibility. (The appropriate syntax corrections have also been made on the "snat" & "snatpool" wiki pages.)

    But actually, you shouldn't really need a rule-- you can enable a selective SNATpool on the forwarding virtual to SNAT only the backend server address range:

    Create a SNATpool:

    "Translation": SNAT pool

    "Origin": Address list. Add host or network address list that covers all the backend hosts that may make requests that need SNATing.

    "VLAN Traffic": Enable only on the VLAN(s) hosting the origin addresses. (optional -- gives better control of SNAT)

    Apply the SNAT pool created above to your wildcard VS, and it will only SNAT the listed origin addresses, letting all other traffic pass through unSNAT'd.

    HTH

    /deb
  • Jason_Roppolo_3's avatar
    Jason_Roppolo_3
    Historic F5 Account
    May 15, 2006
    Deb,

     

     

    Understanding that the local address is a given based on the Virtual to which the rule is applied I only need to SNAT in case a connection is made outbound from one particular host to another specific host. Let's say that 10.0.0.50 connects outbound to 172.16.30.113 I would need to snat the 10.0.0.50 address to 192.168.1.50. Unless that criteria is met I do not need to SNAT at all.

     

     

    Please let me know if that clairifies.

     

     

    Thanks, Jason.

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    May 15, 2006
    Interesting twist -- I've never had to SNAT on specific destination IPs through a forwarding virtual server (no defined local address, and the destination addresses are not local objects either.)

    To match only specific source IPs, you can create the SNATpool with the same origin filter as above.

    To limit the SNAT to only specific destination IPs, I'm thinking the rule would be something like:

    when CLIENT_ACCEPTED {
  log local0. "Local address is [IP::local_addr]"
  if {[IP::addr [IP::local_addr] equals x.x.x.0/24] ) {
    snatpool mySNATpool
  }
}
    (I'm not 100% certain which IP command would pick up the destination address passing through a forwarding virtual. I'm guessing that it must be "local_addr", but I don't have a way to test a forwarding virtual, so I added a log line to help figure that out.)

    You can use a class of type network to list the destination addresses which are SNAT candidates:

    class BounceBackSNAT {
  "x.x.x.a"
  "z.z.x.0 netmask 255.255.255.0"
}
when CLIENT_ACCEPTED {
  if {[IP::addr [IP::local_addr] equals $::BounceBackSNAT] ) {
    snatpool mySNATpool
  }
}

    Does that sound more like what you were going for?

    /deb