Forum Discussion
J_Peterman_4266
Nimbostratus
Jul 18, 2012Having trouble with destination based SNAT irule
We are looking to implement destination based SNAT via iRule where all traffic destined to RFC 1918 space does not get SNAT outbound and it retains its private addressing, all other traffic destined to public addressing gets SNAT outbound for internet specific connectivity. The problem is that the iRule that I have created and applied to a basic IP forwarding Virtual Server is not matching and performing "snat none" or simply "forward" and instead all traffic outbound is getting SNAT. Can anyone point out what might be going on?
[IP addressing has been changed to protect the innocent]
Here is my iRule:
when CLIENT_ACCEPTED {
Check if the remote address is part of the private_nosnat data group
if { [class match [IP::remote_addr] equals private_nosnat]} {
don't do anything
log local0. "MATCH NO SNAT CLASS"
snat none
} else {
snat behind this address
snat 1.1.1.1
}
}
the datagroup private_nosnat includes three networks defined:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Again, this is applied to a virtual server that just matches all destinations and forwards on. The problem is that the first if statement isn't working and all traffic is getting SNAT on the final else statement.
Any insight is greatly appreciated.
- nitass
Employee
if { [class match [IP::remote_addr] equals private_nosnat]} {i understand IP::remote_addr is client address in client-side context event e.g. CLIENT_ACCEPTED. can you try IP::local_addr? - J_Peterman_4266
Nimbostratus
The change to local_addr from remote_addr doesn't make any difference. It is still natting everything outbound regardless of the destination address. - J_Peterman_4266
Nimbostratus
The change to local_addr from remote_addr doesn't make any difference. It is still natting everything outbound regardless of the destination address. - nitass
Employee
The change to local_addr from remote_addr doesn't make any difference. It is still natting everything outbound regardless of the destination address. have you got "MATCH NO SNAT CLASS" log? - J_Peterman_4266
Nimbostratus
Here is what I have from the log. I updated to Log on both instances. Here is what I'm seeing. It is only matching the second rule in which it logs MATCH AND SNAT. This is true when I use local_addr, client_addr, or remote_addr. - nitass
Employee
can you list private_nosnat data group i.e. b class private_nosnat list? - Brian_Van_Stone
Nimbostratus
In the context of this iRule and these connections I would expect remote_addr to return the IP of the server (identical to client_addr in the clientside context) and local_addr to return the self IP of BigIP in the vlan where the server lives (unless I misunderstood how local_addr should work). - J_Peterman_4266
Nimbostratus
Posted By Brian Van Stone on 07/19/2012 10:52 AM - J_Peterman_4266
Nimbostratus
Posted By nitass on 07/19/2012 10:47 AM - hoolio
Cirrostratus
The issue is that the class command doesn't support route domains. See this post for details and possible workarounds:
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects