Forum Discussion

Mike_Graston_10's avatar
Mike_Graston_10
Icon for Nimbostratus rankNimbostratus
Dec 01, 2006

Million Dollar SNAT question

Ok, here it is. How do I get pool memebers to be able to Snat their address only to the url context requests they are part of. An explanation of this is I have about 10 Web sites with eachin the same url structure lets say xxx.mydomain.com. these individual web servers make call to each others vips and all the web servers are on the same subnet 10.10.10.0/24. The web server in app1 makes a call to the VIP address in app2 which in turn will load balance them to servers on the same subnet as the source address of the server in app1. Once it gets load balanced to one of these servers in app2, sitting on the same subnet as the source IP of the request that is coming from app1, it would try to communicate directly to the server and thus cause an asymetric route or a loop as it were. In my QA I setup a snat pool on the VS to accomplish this and it works, however, there is always a However, this causes problems as now every one in the logs appear as a single snat address. So I would like to snat each individual server with in each of the ten application to it's own snat address so that the logs would show all Internet traffic source IP's and the snat addresses which I can send them a matrix of which server they are.
application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 04, 2006

     

    So I would like to snat each individual server with in each of the ten application to it's own snat address so that the logs would show all Internet traffic source IP's and the snat addresses which I can send them a matrix of which server they are."

     

     

     

    You could define a SNAT for each server, so that requests from 10.x.y.z are SNAT'd to 10.a.y.z without a rule. Or you could configure BIG-IP to insert the original client IP address in the X-Forwarded-For header and have the web servers parse and log this custom header. Check this post for details (Click here)

     

     

    Aaron
  • Mike_Graston_10's avatar
    Mike_Graston_10
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2006
    Aaron,

     

     

    Thanks for the reply, I not sure if I stated my issue very well or just to dumb to follow your example. I really just want to snat the web servers address when making a call to my internal web sites not from any where else. Iwas thinking of using the following Irule for that:

     

     

    when CLIENT_ACCEPTED {

     

    checks to see if client_addr = any in the class

     

    if { [matchclass [IP::client_addr] equals $::Hosts]} {

     

    checks to see if the class contains the server_port requested

     

    if { [matchclass [TCP::server_port] equals $::Ports]} {

     

    if above are correct snat to this address

     

    snat 192.168.100.12

     

    } else {

     

    if all don't match just forward without address rewrite.

     

    forward

     

    }

     

    }

     

    }

     

     

    I would also need to set up a couple of data group list but I don't see how to do that and can't find any doc's on it. I don't see how the above Irule uses the groups to check source ip and port.

     

     

    class Hosts {

     

    10.0.0.1

     

    10.0.0.2

     

    10.0.0.23

     

    }

     

     

    class Ports {

     

    443
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 04, 2006
    You can create datagroups in the GUI under Local Traffic >> iRules. Click on the datagroups tab to the right of the iRules tab, and create a datagroup of IP addresses.

     

     

    If you do use the rule:

     

     

    You probably don't want to use the forward command, unless you are using an IP forwarding VIP. If you just remove the "else { forward }" portion of the rule, the request will be processed according to the VIP configuration and be directed to the pool.

     

     

    As far as the SNAT option:

     

     

    What I was trying to suggest is that you could use SNATs to create a mapping of source IP addresses to translation IP addresses for each node. If a request from one of the nodes is received, the BIG-IP will translate the source IP address from the node IP to the translation IP defined in the SNAT.

     

     

    Either the rule or the configured SNAT option should work with the same result.

     

     

    Aaron

     

  • Rodrigo_EV_7869's avatar
    Rodrigo_EV_7869
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2006
    There's also another forum that you can get more ideas:

     

     

    Outbound routing based upon source IP

     

    http://devcentral.f5.com/default.aspx/Default.aspx?tabid=28&forumid=5&postid=7784&view=topic
  • Mike_Graston_10's avatar
    Mike_Graston_10
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2006
    Thanks, I think I owe you lunch at this point. The forward command I thought I read that if it doesn't snat the address it would just forward the request with the real IP??? Without the forward command what happens to the traffic if it's not in the Class with the correct port? Anyway I think I have a solution I have 2 subnets on the web server side so I think I can isolate the correct web sites so no snat is needed. Of course the cutover I will probably need to add this rule some where as the developeers don't know ther apps.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 04, 2006
    xf6svrb, the example rule you posted looks like it's designed to be applied to a IP forwarding virtual server configured for any service. I base this on the fact that it's checking the destination port and using the forward command.

    As it sounds like you're just trying to load balance port 80 traffic you shouldn't need to use the complete example with the class of ports and the forwarding command. Forwarding is used to send the traffic out from the BIG-IP without being load balanced.

    Here is a simplified example that should work for you:

    
when CLIENT_ACCEPTED {
    SNAT requests if client_addr is defined in the class
   if { [matchclass [IP::client_addr] equals $::Hosts]} {
      snat 192.168.100.12
   }
}

    Then define the IP addresses you want to SNAT in a class (datagroup).

    Else, if you want a more eloquent solution, you can try this:

    
when LB_SELECTED {  
  if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {  
  snat 192.168.100.12 
  }
}

    After a node has been selected, the rule compares the source and destination IP addresses. If they're the same, it SNATs the source IP address so the node responds back to the BIG-IP. This saves some administrative effort in that you don't need to define the nodes.

    Aaron

    Edit:

    Sorry, I didn't answer your question: 'What happens if you don't use forward?'

    If you don't explicitly state how the request should be handled in the rule (using a command like pool, node, redirect, forward, reject or drop) the virtual server's pool configuration is used.