Forum Discussion
NimbostratusiRule for Conditional SNAT not working
Need help. iRule to perform source NAT based on source IP is not working. Requirement is "not to NAT" when source IP is from 172.21.10.0/24 and NAT for everything else. Even when I source it from the IP subnet 172.21.10.0/24 it still ends up getting source NAT'd.
Here is my iRule. Appreciate any help.
when LB_SELECTED {
if {[IP::addr [IP::client_addr] equals 172.21.10.0/24]} {
forward
} else {
snatpool SNAT-NATPOOLX
}
}
I also tried a longer as well but still the same result.
when LB_SELECTED {
if {[IP::addr [IP::client_addr] equals 172.21.10.0/24] and [IP::addr [LB::server addr] equals 172.21.30.48]} {
forward
} else {
snatpool SNAT-NATPOOLX
}
}
I also tried matchclass with Datagroup for the client address but still the same result.
when LB_SELECTED {
Check if client IP is in the client_class
if { [matchclass [IP::client_addr] equals $::nat-exempt-srvrs]}{
ENABLE source NAT. This overrides SNAT on the VIP or a default SNAT
snat none
forward
} else {
DISABLE source NAT. This overrides SNAT on the VIP or a default SNAT.
snatpool SNAT-NATPOOLX
}
}
21 Replies
Spiderman_11815Sorry copy paste error.
Jan 23 13:56:57 local/tmm1 info tmm1[6860]: Rule Checkin-test6 : SNAT for: 172.21.10.129%2- Spiderman_11815
.
- Spiderman_11815Sorry copy paste error.
Jan 23 13:56:57 local/tmm1 info tmm1[6860]: Rule Checkin-test6 : SNAT for: 172.21.10.129%2 - Spiderman_11815
I see why it is not working for the IPs that are outside of the 172.21.10.0/24 range. It appears the LB is not NAT'ng for all clients. Here is the tcpdump output from the real server.
TCPdump from host 10.75.134.8:
-------------------------------------
22:05:56.472602 IP 10.75.134.8.52365 > 172.21.30.48.http: S 846262350:846262350(0) win 4380
22:05:56.472649 IP 172.21.30.48.http > 10.75.134.8.52365: S 1181039792:1181039792(0) ack 846262351 win 5792
TCPdump from host 172.21.10.128 (NAT exempt IP)
22:08:24.419911 IP 172.21.10.128.49559 > 172.21.30.48.http: . ack 181 win 4560
22:08:24.420174 IP 172.21.10.128.49559 > 172.21.30.48.http: F 199:199(0) ack 181 win 4560 - Spiderman_11815The LB is not NAT'ng for all IPs. IP address comparison statement does not appear to produce the intended result.
What_Lies_Bene1Cirrostratus
Sorry Spiderman but I'm completely lost. It's not clear what the issue is here?- Spiderman_11815Steve,
Sorry I was working on the issue with F5 support. It is not working. Either it NATs for all IPs or does not NAT. We tried all the above iRules but did not have success. The support team was unsure why it did not work suspect something possibly with the use of route domains. We added a work around as below:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.21.10.0%2/24] } {
} else {
snatpool SNAT-NATPOOLX
}
} - nitass
Employee
is this relevant?
sol12301: The 'class' iRule command does not honor route domain specifications within an IP class
http://support.f5.com/kb/en-us/solutions/public/12000/300/sol12301.html - Spiderman_11815Yes, thank you. It matches the solution that was derived with F5 TAC. Nitass and Steve thank you for your help. BTW, is this issue resolved in 11.x code train?
- nitassBTW, is this issue resolved in 11.x code train?it has not yet been fixed in 11.3.0.
Bug 337222 - iRule class command does not honor route domain specifications in class
