Forum Discussion

Mohanad's avatar
Mohanad
Icon for Cirrostratus rankCirrostratus
Jul 30, 2019

iRule for Conditional SNAT

i need to configre iRule for Conditional SNAT while (10.10.10.1 & 10.10.10.2) connecting to the VS SNAT will be 10.214.214.148 and the rest of clients the SNAT will be 10.214.214.147

current setup:

snat pool "DPG-147" = 10.214.214.147 & i have another snat pool "DPG-148" = 10.214.214.148

ltm virtual DPG-Staging-5006 
  description Cube
  destination 192.168.30.147:pxc-spvr
  ip-protocol tcp
  mask 255.255.255.255
source 0.0.0.0/0
  source-address-translation 
    pool DPG-147
    type snat

Thanks

Mohanad

  • Hi,

    Do you really need the SNAT pool, or you just need to definean IP address to SNAT on iRule?

    e.g.

    # Classic syntax
    when CLIENT_ACCEPTED {
        if { [IP::client_addr] eq "10.10.10.1" || [IP::client_addr] eq "10.10.10.2" } {
            snat 10.214.214.148
        } else {
            snat 10.214.214.147
        }
    }
     
    # Short way
    when CLIENT_ACCEPTED {
        if { "10.10.10.1, 10.10.10.2" contains [IP::client_addr] } {
            snat 10.214.214.148
        } else {
            snat 10.214.214.147
        }
    }
     
    # Expansive way, increase list when needed
    when CLIENT_ACCEPTED {
        switch [IP::client_addr] {
            10.10.10.1 -
            10.10.10.2 {
                snat 10.214.214.148
            }
            default {
                snat 10.214.214.147
            }
        }
    }

    You must change line from "snat <IP ADDR>" to "snatpool <POOLNAME>" if you need to use a SNAT pool.

    I hope it helps.

4 Replies

  • Hi,

    Do you really need the SNAT pool, or you just need to definean IP address to SNAT on iRule?

    e.g.

    # Classic syntax
    when CLIENT_ACCEPTED {
        if { [IP::client_addr] eq "10.10.10.1" || [IP::client_addr] eq "10.10.10.2" } {
            snat 10.214.214.148
        } else {
            snat 10.214.214.147
        }
    }
     
    # Short way
    when CLIENT_ACCEPTED {
        if { "10.10.10.1, 10.10.10.2" contains [IP::client_addr] } {
            snat 10.214.214.148
        } else {
            snat 10.214.214.147
        }
    }
     
    # Expansive way, increase list when needed
    when CLIENT_ACCEPTED {
        switch [IP::client_addr] {
            10.10.10.1 -
            10.10.10.2 {
                snat 10.214.214.148
            }
            default {
                snat 10.214.214.147
            }
        }
    }

    You must change line from "snat <IP ADDR>" to "snatpool <POOLNAME>" if you need to use a SNAT pool.

    I hope it helps.

  • Hello.

    I would use also one the cjunior irules, but take into account that it's possible to configure this directly without iRule using 2 virtuals with different source ip. For example.

    ltm virtual DPG-Staging-5006
    	description Cube
    	destination 192.168.30.147:pxc-spvr
    	ip-protocol tcp
    	mask 255.255.255.255
    	source 0.0.0.0/0
    	source-address-translation
    	pool DPG-147
    	type snat
     
    ltm virtual DPG-Staging-5006_2
    	description Cube
    	destination 192.168.30.147:pxc-spvr
    	ip-protocol tcp
    	mask 255.255.255.255
    	source 10.10.10.0/30
    	source-address-translation
    	pool DPG-148
    	type snat

    REF - https://support.f5.com/csp/article/K14800

    Also using policies.

    REF - https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html

    KR,

    Dario.