Forum Discussion
NimbostratusiRule for Conditional SNAT not working
Need help. iRule to perform source NAT based on source IP is not working. Requirement is "not to NAT" when source IP is from 172.21.10.0/24 and NAT for everything else. Even when I source it from the IP subnet 172.21.10.0/24 it still ends up getting source NAT'd.
Here is my iRule. Appreciate any help.
when LB_SELECTED {
if {[IP::addr [IP::client_addr] equals 172.21.10.0/24]} {
forward
} else {
snatpool SNAT-NATPOOLX
}
}
I also tried a longer as well but still the same result.
when LB_SELECTED {
if {[IP::addr [IP::client_addr] equals 172.21.10.0/24] and [IP::addr [LB::server addr] equals 172.21.30.48]} {
forward
} else {
snatpool SNAT-NATPOOLX
}
}
I also tried matchclass with Datagroup for the client address but still the same result.
when LB_SELECTED {
Check if client IP is in the client_class
if { [matchclass [IP::client_addr] equals $::nat-exempt-srvrs]}{
ENABLE source NAT. This overrides SNAT on the VIP or a default SNAT
snat none
forward
} else {
DISABLE source NAT. This overrides SNAT on the VIP or a default SNAT.
snatpool SNAT-NATPOOLX
}
}
21 Replies
What_Lies_Bene1Cirrostratus
You shouldn't be using this command in the LB_SELECTED event. Try this instead;when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } { Stop processing the iRule return } else { snatpool SNAT-NATPOOLX } }
Spiderman_11815I tried it and still not working. The client is getting NAT'd. I'm running ver 10.2.1, don't know if this matters. Thanks.
- Spiderman_11815
.
Michael_YatesHi Spiderman,
Try something like this:when CLIENT_ACCEPTED { if { !([class match [IP::client_addr] equals nat-exempt-srvrs]) } { snat automap } }- Spiderman_11815I tried this previously, did not work. I tried this again, and still the same issue.
- What_Lies_Bene1OK. Is there any SNAT configured for the Virtual Server itself? If so we'll need to disable it like so;
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } { Stop processing the iRule snat none return } else { snatpool SNAT-NATPOOLX } } - Spiderman_11815No SNAT configured on the VS. But the Pool has SNAT enabled. I disabled the SNAT on the pool then it works for nat-exempt-servers however it breaks for the other source IPs.
- What_Lies_Bene1So, let's add some logging to this (assuming you can test this without it impacting your system with millions of log entries);
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } { log .local0 "Not NATting for: [IP::addr [IP::client_addr]" snat none Stop processing the iRule return } else { snatpool SNAT-NATPOOLX log .local0 "SNATting for: [IP::addr [IP::client_addr]" } } - Spiderman_11815
Here is the log I am getting after this.
Jan 23 13:40:32 local/tmm1 info tmm1[6860]: Rule test6 : SNAT for: 10.75.134.8%2 (It does not work)
Jan 23 13:40:51 local/tmm2 info tmm2[6861]: Rule test6 : SNAT for: 172.22.10.128%2 ( It is working but not sure why it did not encounter a match prior to this and exit)
IP:addr variable was not working. So I modified the irule as below.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.21.10.0/24] } {
log local0. "Not NATing for: [IP::client_addr]"
snat none
Stop processing the iRule
return
} else {
snatpoolSNAT-NATPOOLX
log local0. "SNAT for: [IP::client_addr]"
}
} - What_Lies_Bene1Hmmm. 172.22.10.128 is not in the 172.21.10.0/24 subnet range so I'm not sure why you expect that to match?
RE: "SNAT for: 10.75.134.8%2 (It does not work)" - What do you mean?
I see you are using Route Domains which may be significant. I'll look this up shortly.
