Forum Discussion

adharkrader's avatar
adharkrader
Icon for Nimbostratus rankNimbostratus
Mar 20, 2013

Disabling SNAT on wildcard forwarding VS

I have 3 VLANs on my LTM 11.2 boxes: outside, dmz (where web servers live) and inside (where app servers live). To prevent hairpin issues, I enabled snat auto_map on the dmz & inside VLANs but not on outside (so I can track unique hits, etc). To avoid needlessly SNATing traffic bound for the Internet (through a separate firewall), I put an iRule on the forwarding VS with one command: snat none. It works for most traffic but a significant amount comes through with the outside VLANs float... it's still getting snat auto_mapped.

 

It's mostly pings from our NMS but the annoying ones are the DHCP replies for our "guest" VLAN (the firewall is the DHCP relay for them). They come in with the firewall's address on the outside VLAN (from the F5 perspective) but the DHCP server replies to the guest interface's address... so no UDP "session" match. When the packets return to the firewall SNATed with the F5's address, it rejects them... that's not who it sent the DHCP request to.

 

I'm stumped... here's the config:

 

ltm snat /Common/snat_automap {

 

automap

 

origins {

 

0.0.0.0/0 { }

 

}

 

vlans {

 

/Common/outside

 

}

 

}

 

ltm virtual /Common/wildcard-all {

 

destination /Common/any:0

 

ip-forward

 

mask any

 

profiles {

 

/Common/route_friendly_fastL4 { }

 

}

 

rules {

 

/Common/SNATnone

 

}

 

translate-address disabled

 

translate-port disabled

 

vlans-disabled

 

}

 

application delivery
dev
devops
iRules

3 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 20, 2013
    To prevent hairpin issues, I enabled snat auto_map on the dmz & inside VLANs but not on outside (so I can track unique hits, etc). is this typo? i do see snat_automap is enabled on outside vlan, isn't it?

     

     

    They come in with the firewall's address on the outside VLAN (from the F5 perspective) but the DHCP server replies to the guest interface's address... so no UDP "session" match. When the packets return to the firewall SNATed with the F5's address, it rejects them... that's not who it sent the DHCP request to.you mean incoming request is snat'ed but outgoing reply isn't snat'ed, don't you? wildcard-all virtual server with snat none irule is enabled on all vlan, so i am curious how come incoming request is snat'ed. is there anything i missed??

     

     

    sol9038: The order of precedence for local traffic object listeners

     

    http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html
  • adharkrader's avatar
    adharkrader
    Icon for Nimbostratus rankNimbostratus
    Mar 22, 2013
    Actually, snat_automap is disabled on the outside interface, enabled on the others.

     

     

    Either way, it started working... it looks like the PCs continually pounding away was keeping some kind of "state" with snat ON. They turned all of the PCs off last night to move them to a different room and they work fine this morning. I tcpdumped the outside traffic and the DHCP replies are no longer being SNATed.