Forum Discussion

Josh_Hildebran1's avatar
Josh_Hildebran1
Icon for Nimbostratus rankNimbostratus
Jul 13, 2006

Simple SNAT for external SMTP nodes via a VIP

I think I had this working at some point, but now I'm not entirely sure it ever did.

I'm trying to make it so that external servers can use a VIP to hit a pool of external mail servers. When I say "external" I mean on the outside of the F5. I have a separate "internal", non-snatting VIP for internal servers to hit the SMTP server pool.

This external SMTP vip needs to SNAT so that the packets come back to the F5 properly.

Here is what I have so far:


virtual smtp_snat_external {
   destination 172.20.150.25:smtp
   ip protocol tcp
   pool smtp_testpool
   rule SMTP-Ext-SNAT
   vlans external enable
}
rule SMTP-Ext-SNAT {
   when CLIENT_ACCEPTED {
  snat 172.20.150.201
}
pool smtp_testpool {
   lb method member predictive
   min active members 1
   monitor all POST
   member 192.168.168.76:smtp
   member 192.168.170.50:smtp priority 2
}
monitor POST {
   defaults from smtp
   interval 30
   timeout 61
   debug "no"
   domain "bigip-monitor.org"
}

When I'm on an external server, and telnet to the VIP at 172.20.150.25 port 25, I get a connection, but no SMTP banner. On the mail server, when I run a netstat, I see this connection:

tcp 0 0 192.168.170.50:25 172.20.150.201:1272 SYN_RECV

Which means the SNAT is working, but it seems to just hang there in SYN_RECV mode.. It never gets to ESTABLISHED.

What am I missing? I'm assuming it's an iRule problem.

Thanks so much!

3 Replies

  • As the ltm is not a firewall by nature, it doesn't treat vlans as outside/inside from a policy standpoint. That said, if you have a connection hitting a vip, and a pool of assigned servers that are *outside*, you'll need to snat to get the traffic to route back through the ltm. You can snat automap, or you can build a snatpool with 1 or more addresses in it. You shouldn't need a rule for this.

    BTW, you can snat on the same address as your virtual to conserve IP space if this is a concern.

    
    pool smtp_testpool {
       lb method member predictive
       min active members 1
       monitor all POST
       member 192.168.168.76:smtp
       member 192.168.170.50:smtp priority 2
    }
    snatpool smtp_snatpool {
       member 172.20.150.25
    }
    virtual smtp_snat_external {
       destination 172.20.150.25:smtp
       ip protocol tcp
       pool smtp_testpool
       snatpool smtp_snatpool
       vlans external enable
    }

    You can email me offline if you pursue a non-iRules approach, as this forum is not for configuration issues.
  • Hi,

     

     

    I don't think you need a rule or a SNAT for this. By default, the VIP is going to respond back to the client from the virtual IP address. If you need the BIG-IP to replace the source address on connections from the BIG-IP to the node, then you could use SNAT automap.

     

     

    The BIG-IP won't send any type of SMTP message back to the client. The node in the SMTP pool would need to do this.

     

     

    I don't think this is an iRule issuue. If you think so, please post more info on why. If this is a VIP configuration issue, please contact support.

     

     

    Thanks,

     

    Aaron
  • Thanks citizen_elah.. I was apparently misdirected by your engineer that came down to do the install a while back. He was the one that said to use the iRule approach. I will try out your method and go from there.

     

     

    Thanks so much!