For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RoutingLoop_179's avatar
RoutingLoop_179
Icon for Cirrus rankCirrus
Mar 07, 2013

Dynamic 1:1 SNAT irule

Hi guys - looking for some feedback regarding my irule for 1:1 dynamic NAT. e.g we might use 10/8 on the client inside but then have only have a /17 pool on public outside, although over allocated t...
application delivery
dev
devops
iRules
RoutingLoop_179's avatar
RoutingLoop_179
Icon for Cirrus rankCirrus
Aug 19, 2013

cont...

loop through subnet until octet3 has reached it's maximum allocated value 
    while {$::oct3 <= $static::oct3end} {
        set ip 217.39.$::oct3.$::oct4

        if { [table lookup -notouch -subtable "DynNatAddreses" $ip] eq "" } {

            log local0. "Free IP: $ip found added to clientDynNat table"

            reserve the Free IP
            table add -subtable "DynNatAddreses" $ip [IP::client_addr] $static::timeout
            allocate the Free IP as client SNAT address
            table add -subtable "ClientDynNat" [IP::client_addr] $ip $static::timeout

        debugging
        if {$static::debug} {
            log local0. "table lookup in DynNatAddress for $ip: [table lookup -notouch -subtable "DynNatAddreses" $ip]"
            log local0. "table remaining ClientDynNat for [IP::client_addr]: [table timeout -subtable "ClientDynNat" -remaining [IP::client_addr]]"
            log local0. "table timeout DynNatAddreses for $ip: [table timeout -subtable "DynNatAddreses" -remaining $ip]"
        }   
            SNAT the client to the free IP
            snat $ip
             break the loop - found and allocated a address so no point in cycling through rest of Pool of IP's
            break           
        }
        increment the last octect of pool
        incr ::oct4
        if last octect has reached the end of the range increment next octet of IP and start looping through again
        if {$::oct4 > $static::oct4end} {
            incr ::oct3
            set ::oct4 0
        }
    }   
}



}
Vladimir_Bojko1's avatar
Vladimir_Bojko1
Historic F5 Account
Nov 26, 2013
In my case I needed also to allow incomming connections on to the clinet IPs. So I had to do only Address translation without port translation. To do this I defined one network virtual server on the external VLAN of type performanceL4. Destination IP is the IP range you defined in the iRule, here: 217.39/16. Important: You have to enable Address translation, which is per default disabled with netwrok virtuals here an example: ltm virtual CGNAT1-incomming { destination 217.39.0.0:any mask 255.255.0.0 profiles { fastL4 { } } rules { dynamic_NAT_incomming } source 0.0.0.0/0 translate-port disabled vlans { external } vlans-enabled vs-index 29 } then you add following iRule to it: when CLIENT_ACCEPTED { node [table lookup -subtable "DynNatAddreses" [IP::local_addr]] } now the 1:1 IP address translations works bidirectional. btw, testet with 11.4.1 regards