Forum Discussion

Nicola_DT's avatar
Nicola_DT
Icon for Nimbostratus rankNimbostratus
Sep 22, 2008

Irule and snat pool

Hi,

 

 

am getting stressed out...

 

 

I have to manage a thing that sounds like:

 

 

Some traffic from client A and B that are in vlan Internal have to cross the Bigip and reach servers X, Y and Z that are in Vlan 2 external.

 

 

Traffic does not need to be balanced, just to cross the box.

 

 

Nothing easier, just use the forwarding ip virtual pool !

 

 

Good

 

 

Fact is that I also need that:

 

 

-traffic from client A and B going to any Server and communicating with tcp port 20000 must be assigned a snat ip address that I have devined in snat_pool_1

 

 

-traffic from client A and B going to any Server and communicating with tcp port 21000 must be assigned a snat ip address that I have devined in snat_pool_2

 

 

I am trying to manage it with irules (with simple forwarding virtual pool I cannot filter by source address), and I wrote a rule that sounds like this:

 

 

 

 

when CLIENT_ACCEPTED {

 

 

 

 

 

if {

 

 

 

{[IP::addr [IP::client_addr] equals "10.130.167.23 mask 255.255.255.255"]

 

and [if TCP::local_port == 28080]

 

}

 

or

 

{

 

[IP::addr [IP::client_addr] equals "10.130.167.24 mask 255.255.255.255"]

 

and [if TCP::local_port == 28080]

 

}

 

 

 

 

}

 

 

{use snatpool snat_pool_1}

 

 

 

 

}

 

 

 

 

And same rule for snat pool 2

 

 

 

 

 

 

But it gives me several errors...

 

 

Anyone can give me a hand on this ?

 

 

Thanx everybody.

 

 

Nicola.

 

 

 

 

 

config
design

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 23, 2008
    Hi Nicola,

    Here is a version which checks of the requested port is 20000 and the client IP is one of the two listed, or if the requested port is 21000: 

      
  when CLIENT_ACCEPTED {  
    
     log local0. "[IP::client_addr]:[TCP::client_port]: New TCP connection to [IP::local_addr]:[TCP::local_port]"  
     if {[TCP::local_port] == 20000 and ([IP::addr [IP::client_addr] equals 10.130.167.23] or [IP::addr [IP::client_addr] equals 10.130.167.24])}{  
    
        log local0. "[IP::client_addr]:[TCP::client_port]: Matched first check, using snap_pool_1"  
        snatpool snat_pool_1  
    
     } elseif {[TCP::local_port] == 21000 and ([IP::addr [IP::client_addr] equals 10.130.167.23] or [IP::addr [IP::client_addr] equals 10.130.167.24])}{  
    
        log local0. "[IP::client_addr]:[TCP::client_port]: Matched second check, using snap_pool_2"  
        snatpool snat_pool_2  
     }  
  }

    When you're done testing, you can comment out the log statements.

    Aaron