Forum Discussion

Shay_Ben-David1's avatar
Shay_Ben-David1
Icon for Nimbostratus rankNimbostratus
Feb 19, 2007

access VIP from internal VLAN on the bigip with SNAT

Hi, i have bigip in a routed topology with two vlan interfaces (external to internet, and internal to LAN), only way to go from my internal vlan to the VIPs is with SNAT on the VIP with Auto Map configuration or some other way of SNAT on the VIP. the problem is i need the routed topology to stay as is and not perform a reverse proxy to all address, only the one comes from my internal vlan, is there a way to use irule to snat only address comes from my internal vlan to the VIP and use some Auto Map on the irule, i think it should be:

 

when CLIENT_ACCEPTED

 

some if to help detarmine the source ip to be SNAT to the spesific VIPs

 

and snat to Auto Map or something, and maybee some else,

 

if someone have some experiance with this, we need help

 

thanks

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 19, 2007
    You could use a past example to apply a SNAT only when the client IP address is on the same /24 subnet as the server.

    Click here

    
when LB_SELECTED {  
  if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {  
  snat automap 
  }
}

    IP::client_addr is resolved to the client IP address. The /24 gets just the first three octets of the IP address and does a comparison against the network of the server address. If they match, then the request is SNAT'd.

    Aaron
  • David_23683's avatar
    David_23683
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2009
    Since not all LANs are /24's and common iRules among partitions that need similar functionality is a nice thing, is there any reason you can think of this code shouldn't become:

     

     

    when LB_SELECTED {

     

    if { [IP::hops] == 0} {

     

    snat automap

     

    }

     

    }

     

     

    Thus, when on the same subnet (zero hops away), snat it.

     

     

    (Assumes no additional routers on the client/server subnet)

     

     

    -David
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 06, 2009
    That's a novel idea. It seems to work well if the client, VIP and pool are all on the same subnet with no routers. However, I don't think it would work if the client and pool member are on the same subnet, but the VIP isn't.

     

     

    Aaron