Forum Discussion

wtwagon_99154's avatar
wtwagon_99154
Icon for Nimbostratus rankNimbostratus
Mar 10, 2010

Destination Based SNAT / NO SNAT

I wanted to see if it was possible to create an iRule that I could apply to an IP forwarding VIP to remove a SNAT.

 

 

Example:

 

 

Say Network 172.16.0.0/24 wants to talk to 10.32.0.0/24. Right now, there is a default SNAT that will SNAT all traffic from the 172.16.0.0/24 network to a particular IP address.

 

 

I have created an IP Forwarding VIP to 10.32.0.0/24, but the IP address will always show up as the previous particular IP address when accessing the 10.32.0.0/24 network.

 

 

Is there a way I can apply an iRule to the IP Forwarding VIP that will simply remove the SNAT when destined to these particular networks?

 

 

I was thinking something along the lines of this:

 

 

http://devcentral.f5.com/Wiki/default.aspx/iRules/SelectiveSNAT.html

 

 

However, not quite sure how I would format it. Any suggestions would be fantastic. Thanks!
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 11, 2010
    Hi,

    That's a good start. If traffic hits this VIP and doesn't match the allowed client IP's class and/or destination port class, what do you want to do with the traffic? Traffic which hits this VIP wouldn't default to using the default SNAT, so you'd want to handle those cases explicitly in the iRule. Here is a cleaned up example with more accurate names:

    Also note that if you're on 9.4.4+ you should remove the $:: prefix from the class names in the iRule. 

      
  class allowed_clients_class {  
     network 172.16.0.0/24  
  }  
  

      
  class allowed_destination_ports {  
     22  
     80  
     110  
  }  
  

      
  when CLIENT_ACCEPTED {  
    
      Check if client IP is allowed  
     if { [matchclass [IP::client_addr] equals $::allowed_clients_class]} {  
    
         Check if the requested port is allowed  
        if { [matchclass [TCP::local_port] equals $::allowed_destination_ports]} {  
    
            Disable SNAT for this connection  
           snat none  
    
        } else {  
            Take some action for disallowed destination ports?  
   drop  
        }  
     } else {  
    
         Take some action for disallowed client IPs?  
        drop  
     }  
  }

    Aaron
  • wtwagon_99154's avatar
    wtwagon_99154
    Icon for Nimbostratus rankNimbostratus
    Mar 22, 2010
    Just following up on this.

     

     

    It is my belief that you can perform this action using a 'SNAT' on a particular VLAN. If these are separate VLANs, I would think you can disable SNAT destined to a particular VLAN. Anyone have experience with this?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 23, 2010
    A SNAT can provide similar functionality to a VIP and iRule, but the iRule gives you more granularity (source and destination hosts/subnets and ports), the ability to log connections and more specific statistics (b virtual show all versus b snat show all). If the SNAT functionality works for your requirements it is a simpler config option and is probably more efficient than a VIP and iRule.

     

     

    Aaron