Forum Discussion
Paul_Farag_1097
Nimbostratus
NimbostratusConidtional SNATing
I am a little confused I wrote an irule to perform SNATs for certain IP's and not for other IP's. The irule I wrote is as follows:
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::NO_SNAT] } {
forward
} elseif { [matchclass [IP::client_addr] equals $::SNAT_GROUP02] } {
snatpool SNAT_POOL1
} elseif { [matchclass [IP::client_addr] equals $::NAT_GROUP03] } {
snatpool SNAT_POOL2
} elseif { [matchclass [IP::client_addr] equals $::NAT_GROUP04] } {
snatpool SNAT_POOL3
} elseif { [matchclass [IP::client_addr] equals $::NAT_GROUP05] } {
snatpool SNAT_POOL4
} elseif { [matchclass [IP::client_addr] equals $::NAT_GROUP06] } {
snatpool SNAT_POOL5
} else {
log local0.info
forward
}
}
The logic looks ok, but when I tested this I sourced my telnets from an IP in NAT_GROUP03, and I was never seeing the packet reach the pool. However once I removed the top if statement and forward statement the irule worked. It looks like having the forward at the top of the if's did not allow this irule to work.
My question is what is the logic for the forward... The devcentral WIKI did not have anything but the command has been available since 9.0.0. Any help would be much appreciated.
hoolioCirrostratus
The forward command specifies that the request should be forwarded out of the BIG-IP on the interface specified in the routing table. No destination address or port translation would be done.
You're using the forward command, but you say you want requests to go to a pool. Are you wanting to load balance the connections to a pool or forward them? If the former, you should be able to just remove the forward command and the requests which match the ::NO_SNAT class will be sent to the default pool defined on the virtual server. If you want to explicitly disable SNAT for the ::NO_SNAT clients, you could use 'snat none'.
Aaron- wiki page updated...
