Forum Discussion

Kirk_Bauer_1018's avatar
Kirk_Bauer_1018
Icon for Nimbostratus rankNimbostratus
Aug 14, 2007

SNAT command and ports

I don't have time at the moment to set up a full test environment for this so I'm hoping for a little help. I have verified that for UDP traffic using the command "snat " will preserve the original source port, but I have only tested that for one source IP. If source IP 10.1.1.10 sends a UDP packet with a source port of 1234 and is SNATed to 172.16.1.2, what happens when source IP 10.1.1.11 sends a UDP packet with a source port of 1234 and the "snat" command also applies to that? Will the port be changed?

 

 

If so, is there any way I can force the port to remain unchanged? Can I do:

 

 

snat 172.16.1.2 [UDP::client_port]

 

 

and the source port will never be changed?
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Aug 14, 2007
    The tuple of {sourceIP sourcePort destIP destPort} must be unique, so for traffic bound for the same pool member at least, the port would definitely be changed.

     

     

    AFAIK SNAT uses the original source port unless it's already in use, otherwise (regardless of uniqueness on the pool member side of the tuple) chooses another port.

     

     

    There's really no way to affect the default SNAT port selection behaviour.

     

     

    HTH

     

    /deb
  • Kirk_Bauer_1018's avatar
    Kirk_Bauer_1018
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2007
    I may need to think out-of-the-box on this one. I don't need BIG-IP to remember any state information at all... I just need to change the source IP. Can I just set that directly on the way through the BIG-IP without using "snat" and without affecting the source port? I looked at the IP::* commands but don't see anything obvious.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 14, 2007
    Could you try a fastl4 profile with loose init/close enabled so TMM doesn't add the connection to the connection table? I think you could then SNAT using the client port with less of a chance of having the source port in use already.

     

     

    Aaron