Mark_60861
Jul 22, 2011Nimbostratus
Emulate v4.5 SNAT behavior with 10.x
I'm trying to emulate BIGIP 4.5 SNAT behavior for a set of legacy hosts that are being migrated from a 4.5 bigip box to a 10.x BigIP LTM.
With a 4.5 SNAT things work as follows:
All connections that the server initiates outbound using the bigIP as it's default gateway are SNATed to the snat IP.
All connections inbound to the server, initiated by a client, say an admin ssh'ing into the server, are simply forwarded without any NAT/SNAT. (this would be an asymmetrical flow, bigip only sees half the connection.)
In 10.2.1 I've created an irule and forwarding server (see below) that SNATs connections from a 'legacy server' data class. However, currently the 10.x BigIP SNATs everything it sees... This includes flows that it never saw an initial SYN for...
For example, if you ssh into a server, you have asymmetrical routing, so all packets from the ssh client go router -> server, while the return path is server -> bigip -> router.
This prevents ssh'ing into the box as a 3way handshake is never established, the ssh client sends a SYN which reaches the server, the server replies next-hoping the syn/ack to the bigip. The bigIP then SNATs the connection before sending it to the router, which of course prevents the 3way handshake.
Some detailed information and diagrams of what's going on, as well as my current irule and forwarding server configuration.
VLAN205 = Servers, 10.10.205.0/24
VLAN210 = VIPS, 10.10.210.0/24
Default Gateway for BIG-IP Route Domain: Router interface on VLAN 210.
Default Gateway for Servers: Big-IP Interface on VLAN 205.
+-----------------------+
| |
| VIP VLAN 210 |
| 10.10.210.0/24 |
| |
+-----+--------------+--+
| |
| |
+--------------+--+ +-+--------------+
| | | |
| BIG-IP | | Router |
| | | |
+--------------+--+ +-+--------------+
| |
| |
+-----+--------------+---+
| |
| SERVER VLAN 205 |
| 10.10.205.0/24 |
| |
+----------+-----------+-+
| |
| |
+-----+--+ +-+-------+
| | | |
| Server | | Server |
| | | |
+--------+ +---------+
class legacy_servers {
{
host 10.10.205.103
host 10.10.205.104
}
}
rule SNAT-TEST-RULE-1 {
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals "legacy_servers"] && ( [IP::protocol] == 6 || [IP::protocol] == 17 ) } {
log local0. "=============================================================="
log local0. "SNAT'ed Legacy Server: [IP::client_addr] to 10.10.210.50"
log local0. "IP::client_addr: [IP::client_addr]"
log local0. "IP::local_addr: [IP::local_addr]"
log local0. "IP::remote_addr: [IP::remote_addr]"
log local0. "IP::protocol: [IP::protocol]"
snat 10.10.210.50
}
}
}
profile fastL4 route_friendly_fastl4 {
defaults from fastL4
loose initiation enable
loose close enable
}
virtual VS-FORWARD-RD0 {
ip forward
destination any:any
mask 0.0.0.0
rules {
SNAT-TEST-RULE-1
}
profiles route_friendly_fastl4 {}
vlans {
VLAN205
} enable
}