Forum Discussion
Shay_Ben-David1
Nimbostratus
Nimbostratusaccess VIP from internal VLAN on the bigip with SNAT
Hi, i have bigip in a routed topology with two vlan interfaces (external to internet, and internal to LAN), only way to go from my internal vlan to the VIPs is with SNAT on the VIP with Auto Map configuration or some other way of SNAT on the VIP. the problem is i need the routed topology to stay as is and not perform a reverse proxy to all address, only the one comes from my internal vlan, is there a way to use irule to snat only address comes from my internal vlan to the VIP and use some Auto Map on the irule, i think it should be:
when CLIENT_ACCEPTED
some if to help detarmine the source ip to be SNAT to the spesific VIPs
and snat to Auto Map or something, and maybee some else,
if someone have some experiance with this, we need help
thanks
hoolioCirrostratus
You could use a past example to apply a SNAT only when the client IP address is on the same /24 subnet as the server.Click herewhen LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snat automap } }
IP::client_addr is resolved to the client IP address. The /24 gets just the first three octets of the IP address and does a comparison against the network of the server address. If they match, then the request is SNAT'd.
Aaron
David_23683Since not all LANs are /24's and common iRules among partitions that need similar functionality is a nice thing, is there any reason you can think of this code shouldn't become:
when LB_SELECTED {
if { [IP::hops] == 0} {
snat automap
}
}
Thus, when on the same subnet (zero hops away), snat it.
(Assumes no additional routers on the client/server subnet)
-David- hoolioThat's a novel idea. It seems to work well if the client, VIP and pool are all on the same subnet with no routers. However, I don't think it would work if the client and pool member are on the same subnet, but the VIP isn't.
Aaron