Forum Discussion
J_Peterman_4266
Jul 18, 2012Nimbostratus
Having trouble with destination based SNAT irule
We are looking to implement destination based SNAT via iRule where all traffic destined to RFC 1918 space does not get SNAT outbound and it retains its private addressing, all other traffic destined to public addressing gets SNAT outbound for internet specific connectivity. The problem is that the iRule that I have created and applied to a basic IP forwarding Virtual Server is not matching and performing "snat none" or simply "forward" and instead all traffic outbound is getting SNAT. Can anyone point out what might be going on?
[IP addressing has been changed to protect the innocent]
Here is my iRule:
when CLIENT_ACCEPTED {
Check if the remote address is part of the private_nosnat data group
if { [class match [IP::remote_addr] equals private_nosnat]} {
don't do anything
log local0. "MATCH NO SNAT CLASS"
snat none
} else {
snat behind this address
snat 1.1.1.1
}
}
the datagroup private_nosnat includes three networks defined:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Again, this is applied to a virtual server that just matches all destinations and forwards on. The problem is that the first if statement isn't working and all traffic is getting SNAT on the final else statement.
Any insight is greatly appreciated.
- nitassEmployeeif { [class match [IP::remote_addr] equals private_nosnat]} {i understand IP::remote_addr is client address in client-side context event e.g. CLIENT_ACCEPTED. can you try IP::local_addr?
- J_Peterman_4266NimbostratusThe change to local_addr from remote_addr doesn't make any difference. It is still natting everything outbound regardless of the destination address.
- J_Peterman_4266NimbostratusThe change to local_addr from remote_addr doesn't make any difference. It is still natting everything outbound regardless of the destination address.
- nitassEmployeeThe change to local_addr from remote_addr doesn't make any difference. It is still natting everything outbound regardless of the destination address. have you got "MATCH NO SNAT CLASS" log?
- J_Peterman_4266NimbostratusHere is what I have from the log. I updated to Log on both instances. Here is what I'm seeing. It is only matching the second rule in which it logs MATCH AND SNAT. This is true when I use local_addr, client_addr, or remote_addr.
- nitassEmployeecan you list private_nosnat data group i.e. b class private_nosnat list?
- Brian_Van_StoneNimbostratusIn the context of this iRule and these connections I would expect remote_addr to return the IP of the server (identical to client_addr in the clientside context) and local_addr to return the self IP of BigIP in the vlan where the server lives (unless I misunderstood how local_addr should work).
- J_Peterman_4266NimbostratusPosted By Brian Van Stone on 07/19/2012 10:52 AM
- J_Peterman_4266NimbostratusPosted By nitass on 07/19/2012 10:47 AM
- hooleylistCirrostratusThe issue is that the class command doesn't support route domains. See this post for details and possible workarounds:
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects