Forum Discussion

Eric_Van_Tol_10's avatar
Eric_Van_Tol_10
Icon for Nimbostratus rankNimbostratus
Aug 17, 2012

iRule for bypassing SNAT when routing

We are changing the logical setup of our network behind our LTM and I'm trying to find out how to write an iRule that does what I need. Our servers sit on a private network behind the LTM and we want non-local networks to be able to reach them via a router on a different VLAN on the LTM. This part isn't a problem, but when the servers send traffic to the gateway (the LTM), the traffic is translated as the VIP on the 'external' VLAN of the LTM. As it is now, we have a 'dmz' VLAN configured on the LTM with 172.16.30.1/24. The 'internal' VLAN has an IP of 172.16.20.1/24. I want the LTM to just route traffic coming from the servers, which is destined for X and Y networks to be forwarded, not SNATed or load balanced at all. We used to bypass all of this by putting direct routes in the servers pointing to a backend router that was on the same subnet as the servers, but we're getting rid of that setup.

 

 

This is what I have, but I'm not sure where to apply it, whether I should create a Forwarding VIP, or what.

 

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::remote_addr] equals 172.16.56.0/255.255.255.0] }{

 

snat none

 

}

 

}

 

 

I got the rule above from this post I found:

 

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/68/aft/1180494/showtab/groupforums/Default.aspx

 

 

However, again, I'm kind of lost as to where to apply this or if it's even correct. I would normally spend days trying to learn everything there is to know about the LTM, but I need to get this working and I work so infrequently with it that I need a gentle push in the right direction.

 

 

Thanks,

 

evt

 

  • Thanks for the response. I've got this on a Forwarding virtual server which is applied to the 'internal' VLAN. The problem still exists - when I ping, sourced from 172.16.56.10 to 172.16.20.21, the response is still coming from the VIP configured on the 'external' VLAN. Maybe my Forwarding virtual server is not correct:

     

     

    virtual address 172.16.56.0 {

     

    mask 255.255.255.0

     

    server none

     

    }

     

    virtual Backend_Forwarding {

     

    ip forward

     

    destination 172.16.56.0:any

     

    mask 255.255.255.0

     

    rules cs_snat_bypass

     

    vlans internal enable

     

    }

     

    route 172.16.56.0/24 {

     

    gateway 172.16.30.249

     

    }
  • it depends on who initiates a connection.

    e.g.

     by server
    
    [root@ve10:Active] config  b virtual fwd_outbound list
    virtual fwd_outbound {
       ip forward
       destination 172.16.56.0:any
       mask 255.255.255.0
       vlans internal enable
    }
    
     by client
    
    [root@ve10:Active] config  b virtual fwd_inbound list
    virtual fwd_inbound {
       ip forward
       snat automap
       destination 172.16.20.0:any
       mask 255.255.255.0
       rules myrule
       vlans external enable
    }
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when CLIENT_ACCEPTED {
       if {[class match -- [IP::remote_addr] equals address_class]} {
          snat none
       }
    }
    }
    [root@ve10:Active] config  b class address_class list
    class address_class {
       network 172.16.56.0/24
    }