Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Jan 16, 2013

DHCP Relay No-NAT

As detailed here: https://devcentral.f5.com/tech-tips/articles/dhcp-relay-virtual-server.UPaOpDmmv1U if there is a second hop that is an F5 apparently you need to create a No-NAT. I don't understand ...
config
design
nitass's avatar
nitass
Icon for Employee rankEmployee
Jan 20, 2013
Is this because of some automatic NAT function performed by the DHCP Relay VS type?i think so. anyway, it is also snated even having dhcp-no-translate snat object. i am running 11.1.0 hf5. by the way, i am not sure why virtual server name is not shown in tcpdump (lis=).

without dhcp-no-translate snat object 

[root@B6400-R69-S9:Active] config  tmsh show sys version|head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.1.0
  Build    2268.0
  Edition  Hotfix HF5
  Date     Mon Aug 20 14:13:45 PDT 2012

root@B6400-R69-S9(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 0.0.0.0:67
    dhcp-relay
    ip-protocol udp
    mask any
    pool foo
    profiles {
        udp { }
    }
    translate-address disabled
    vlans {
        external
    }
    vlans-enabled
}
root@B6400-R69-S9(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:67 {
            address 200.200.200.101
        }
    }
}
root@B6400-R69-S9(Active)(/Common)(tmos) list ltm snat
root@B6400-R69-S9(Active)(/Common)(tmos)

[root@B6400-R69-S9:Active] config  tcpdump -nni 0.0 udp port 67 or icmp -s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:40:14.969569 IP 9.9.9.1.67 > 200.200.200.101.67: BOOTP/DHCP, Request from 00:50:56:b3:59:8d, length: 300 in slot1/tmm0 lis=
18:40:14.969630 IP 9.9.9.9.67 > 200.200.200.101.67: BOOTP/DHCP, Request from 00:50:56:b3:59:8d, length: 300 out slot1/tmm0 lis=

with dhcp-no-translate snat object 

root@B6400-R69-S9(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 0.0.0.0:67
    dhcp-relay
    ip-protocol udp
    mask any
    pool foo
    profiles {
        udp { }
    }
    translate-address disabled
    vlans {
        external
    }
    vlans-enabled
}
root@B6400-R69-S9(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:67 {
            address 200.200.200.101
        }
    }
}
root@B6400-R69-S9(Active)(/Common)(tmos) list ltm snat
ltm snat dhcp-no-translate {
    origins {
        9.9.9.1/32 { }
    }
    translation /Common/9.9.9.1
}

[root@B6400-R69-S9:Active] config  tcpdump -nni 0.0 udp port 67 or icmp -s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:49:15.304996 IP 9.9.9.1.67 > 200.200.200.101.67: BOOTP/DHCP, Request from 00:50:56:b3:59:8d, length: 300 in slot1/tmm0 lis=
18:49:15.305056 IP 9.9.9.9.67 > 200.200.200.101.67: BOOTP/DHCP, Request from 00:50:56:b3:59:8d, length: 300 out slot1/tmm0 lis=