wildcard VS and SNAT

Question

Hey! 
I'm trying to write a SNAT irule for a wildcard virtual server(Forwarding IP), so if it's RFC1918 address don't do snat and when it's any other then snat outside interface float ip. The F5 "snat automap" doesn't work really well - so it sometimes works, sometimes doesn't. 
This is what i've come up to this point. Is this kinda thing even possible what I'm trying to achieve?
when CLIENT_ACCEPTED { 
  switch [IP::remote_addr] { 
    10.0.0.0/8 {
        snat none } 
    172.16.0.0/12 { 
        snat none } 
    192.168.0.0/16 {
        snat none } 
    default {
        snat 8.8.8.8  }
  } 
}

Thanks!

crodriguez · Answer

Certainly the solution you are trying to achieve is possible. Your current approach needs some tweaking though in order to get it to work. You cannot make a comparison of a raw IP address with a network address range without incorporating the IP::addr command. For example [IP::addr [IP::client_addr] equals 10.0.0.0/8] checks to see if the client's IP address is in the 10.0.0.0/8 network. It will probably be easier to do this check from an IF statement rather than a SWITCH. Something like this perhaps:
when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] ||
         [IP::addr [IP::client_addr] equals 172.16.0.0/12] ||
         [IP::addr [IP::client_addr] equals 192.168.0.0/16] } {
        snat none
    } else {
        snat 8.8.8.8
    }
}

Forum Discussion

wildcard VS and SNAT

1 Reply

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Wildcard Parameter signature attack

SNAT IP address logging

Wildcard in SNAT

SNAT pool persistence

F5 SMTP Fast Template - SNAT Not working as expected