Forum Discussion

J_Peterman_4266's avatar
J_Peterman_4266
Icon for Nimbostratus rankNimbostratus
Jul 18, 2012

Having trouble with destination based SNAT irule

We are looking to implement destination based SNAT via iRule where all traffic destined to RFC 1918 space does not get SNAT outbound and it retains its private addressing, all other traffic destined t...
application delivery
dev
devops
iRules
J_Peterman_4266's avatar
J_Peterman_4266
Icon for Nimbostratus rankNimbostratus
Jul 19, 2012
Posted By Brian Van Stone on 07/19/2012 10:52 AM

 

In the context of this iRule and these connections I would expect remote_addr to return the IP of the server (identical to client_addr in the clientside context) and local_addr to return the self IP of BigIP in the vlan where the server lives (unless I misunderstood how local_addr should work).

 

I was thinking that [IP::server_addr], which is the same as [serverside {IP::remote_addr}], might be what you're looking for. You're interested in getting the destination address, and the three options you have tried are all in the clientside context.

 

 

The part that boggles me is: and it retains its private addressing

 

I would expect that if the server initiating this connection has a local address the first piece would always execute when using [IP::client_addr] or [IP::remote_addr] rather than the other way around.

 

Hopefully this explanation helps clarify what I'm attempting to accomplish.

 

 

What I mean is that we want traffic that has a destination address in the RFC1918 ranges outlined in private_snat group to not be SNAT outbound, but all traffic destined to everything else (Public) to be SNAT to a public facing external address.

 

 

Topology of outbound traffic:

 

 

Server -> Loadbalancer -> Internet

 

 

Example where we do want SNAT to occur (the last else statement):

 

 

Server IP: 10.x.x.x attempting to connect out to an internet server, yahoo for sake of example

 

Traffic needs to hit the LB and get SNAT to a public address (1.1.1.1) so that it is publically routable out to the internet.

 

 

Example where we do not want SNAT to occur (the first if statement):

 

 

Server IP: 10.x.x.x attempting to connect to a server in another data center with a destination of 192.168.x.x (all private internal network connectivity, no internet and thus no public SNAt required).

 

 

Traffic in this example should come from the server destined to 192.168.x.x and match the first IF statement and simply be forwarded on without SNAT because the destination falls within the private_nosnat group.

 

 

This was considerably easier on other platforms to accomplish (ACE LB, firewalls with nat lists, etc). Struggling to get this iRule to work appropriately and figure out the correct syntax to accomplish SNAT or NO SNAT based upon the destination of traffic outbound.