For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Felix888_164906's avatar
Felix888_164906
Icon for Nimbostratus rankNimbostratus
Oct 01, 2014

Hwo to do the conditional snat

Hi everyone:

   I know ii shouldn't be a hard question, but I'm still new to F5. Any help will be great!
  So what we want is to do the conditional snat for outgoing and incoming traffic. We have multiple lan in LTM, when we send traffic to internal vlan, we want no snat, when we want to send traffic out, we need snat. Same for the incoming traffic, when the traffic coming from the Internet, we need to do snat, when the traffic coming from internal LAN, we don't need snat.
For example for outgoing traffic:
if I want to route to internal lan 10.0.0.0/24, no snat. If I want to go to the Internet, need snat.
For incoming traffic, if the traffic coming from 10.0.0.0/24, no snat. If they coming from the outside Internet, need snat. Assuming using iRule, can you give the example as how to do it? And where shall I apply these iRule?
Sorry for the newbie question.
Thanks

3 Replies

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Oct 02, 2014

    If you have multiple VIPs, you only apply the SNAT config to the VIPs that need it.

    If you are using a single VIP for all traffic, then something like this will work in an irule

    when CLIENT_ACCEPTED { 
    if {!([IP::addr [IP::client_addr] equals "10.0.0.0 mask 255.0.0.0"]) } {
        snatpool snatpool1
    }
}

    The above irule will use a snat pool called snatpool1 for all clients that don't have a 10.0.0.0/8 address.

    Regards,

  • Felix888_164906's avatar
    Felix888_164906
    Icon for Nimbostratus rankNimbostratus
    Oct 02, 2014
    Thanks Andrew!
  I do have multiple VIP which may cause confusion: because I can not express ip range with any condition. For example I have a VIP called vlan 10 forwarding which forward the traffic to 10.0.0.0/24, then I also have a VIP called default-route which forward traffic from multiple internal LANs to 0.0.0.0/0. because I can't setup the ip range as all except 10.0.0.0/24. These two VIP actually duplicate to each other. in this case, it is hard to use snat for each VIP.So I may have to consider using less VIP. I did apply the irule to different VIP, it seems work, but I feel this is not efficient setting, because there are so many VIP... if I use only one VIP, I have to create lots of rules for all purposes.
  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Oct 02, 2014

    If you are using forwarding VIPs, and everything is traversing the F5's at layer 2, then you don't really need SNAT at all