Forum Discussion

Logan_Ramirez_5's avatar
Logan_Ramirez_5
Icon for Nimbostratus rankNimbostratus
Dec 08, 2005

conditional SNAT

We have a relatively simple environment: two data centers, one web server in each, one bigip in each. Basic pool in each office for web servers consists of (a) local web server and (b) other data cen...
application delivery
dev
devops
iRules
G__Wesley_Rober's avatar
G__Wesley_Rober
Historic F5 Account
Dec 13, 2005
Hi,

I spent a bit of time thrashing about trying to apply this iRule to a forwarding virtual, so I thought it might be worth pointing out some subtle differences in events based on the type of virtual server. The LB_SELECTED event works fine if you need to test a node address before the connection to the node is established, as in the case with a standard virtual server, or other types that actually load balance such as Performance L4. However, this event DOES NOT FIRE on virtual servers of type forwarding (ip).

Since with a forwarding virtual the destination address doesn't change, you can use the CLIENT_ACCEPTED event and the [IP::local_addr]. For those used to v4.5.x and "forwarding pools" which allowed you to disable SNAT/NAT, the following iRule will help in the transition to v9.

Given a SNAT that translates everything internal-->external, but you want to disable SNAT to certain destination networks:


class NoNATNets {
    network 10.30.1.0 mask 255.255.255.0
    network 10.30.100.0 mask 255.255.255.0
}
pool gateway {
   member 10.30.1.254:any
   member 10.30.1.253:any
}
snat SNATInternal {
   automap
   origin 0.0.0.0 mask 0.0.0.0
   vlan internal enable
}
rule DisableSnatWithClass {
   when CLIENT_ACCEPTED {
      if {[matchclass [IP::local_addr] eq $::NoNATNets]} {
         log "Matching NoNAT List, disabling SNAT: [IP::local_addr]"
         snat none
         forward
      } else {
         log "No Match in NoNAT List, allowing SNAT: [IP::local_addr]"
         pool gateway
      }
   }
}
virtual Outbound {
   destination any:any
   profile myfastl4
   pool gateway
   rule DisableSnatWithClass
   vlans internal enable
}

It is also worth noting that if you DO use the LB_SELECTED event for load balancing "transparent devices" such as routers or Firewalls, the address values are similar to CLIENT_ACCEPTED, with the addition of LB::selected. Here they are for review:

IP::remote == the client IP

IP::local == The destination IP of the packet (out in the cloud)

LB::server addr == The node selected (the router or firewall)

Hope this helps!