Forum Discussion
Eric_Van_Tol_10
Aug 17, 2012Nimbostratus
iRule for bypassing SNAT when routing
We are changing the logical setup of our network behind our LTM and I'm trying to find out how to write an iRule that does what I need. Our servers sit on a private network behind the LTM and we want non-local networks to be able to reach them via a router on a different VLAN on the LTM. This part isn't a problem, but when the servers send traffic to the gateway (the LTM), the traffic is translated as the VIP on the 'external' VLAN of the LTM. As it is now, we have a 'dmz' VLAN configured on the LTM with 172.16.30.1/24. The 'internal' VLAN has an IP of 172.16.20.1/24. I want the LTM to just route traffic coming from the servers, which is destined for X and Y networks to be forwarded, not SNATed or load balanced at all. We used to bypass all of this by putting direct routes in the servers pointing to a backend router that was on the same subnet as the servers, but we're getting rid of that setup.
This is what I have, but I'm not sure where to apply it, whether I should create a Forwarding VIP, or what.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals 172.16.56.0/255.255.255.0] }{
snat none
}
}
I got the rule above from this post I found:
https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/68/aft/1180494/showtab/groupforums/Default.aspx
However, again, I'm kind of lost as to where to apply this or if it's even correct. I would normally spend days trying to learn everything there is to know about the LTM, but I need to get this working and I work so infrequently with it that I need a gentle push in the right direction.
Thanks,
evt
- hoolioCirrostratusHi EVT,
when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 172.16.56.0/24] }{ snat none } }
- Eric_Van_Tol_10NimbostratusThanks for the response. I've got this on a Forwarding virtual server which is applied to the 'internal' VLAN. The problem still exists - when I ping, sourced from 172.16.56.10 to 172.16.20.21, the response is still coming from the VIP configured on the 'external' VLAN. Maybe my Forwarding virtual server is not correct:
- nitassEmployeeit depends on who initiates a connection.
by server [root@ve10:Active] config b virtual fwd_outbound list virtual fwd_outbound { ip forward destination 172.16.56.0:any mask 255.255.255.0 vlans internal enable } by client [root@ve10:Active] config b virtual fwd_inbound list virtual fwd_inbound { ip forward snat automap destination 172.16.20.0:any mask 255.255.255.0 rules myrule vlans external enable } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if {[class match -- [IP::remote_addr] equals address_class]} { snat none } } } [root@ve10:Active] config b class address_class list class address_class { network 172.16.56.0/24 }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects