Forum Discussion

PATLOC_183933's avatar
PATLOC_183933
Icon for Nimbostratus rankNimbostratus
Jan 27, 2015

irule segment network no match

this irule follow not matching: when CLIENT_ACCEPTED { set my_ip [IP::client_addr]   not matching if { [IP::addr [IP::client_addr] equals 20.33.2.2] } {snatpool POOL-SNAT-CLD-REN pool gateway-EQ...
application delivery
devops
iRules
StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Feb 02, 2015

Hi PATLOC,

to catch outgoing traffic, you will need a virtual server (network 0.0.0.0/0, performanceL4, all-protocols, iRule assigned). 
ltm virtual virtual_outbound_wildcard {
    destination any:any
    mask any
    profiles {
        fastL4 { }
    }
    rules {
        rule_selective_snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        VLAN-Front-End
    }
    vlans-enabled
}

The iRule looks as follows: 

when CLIENT_ACCEPTED {
    switch [IP::client_addr] {
        "20.33.2.2" -
        "20.33.2.3" {
            snatpool snatpool_CLD-REN
            pool pool_gateway-EQX-RET
        }
        default {
            snatpool snatpool_CLD-SMTP-WEB
            pool pool_gateway-EQX
        }
    }
}

The iRule is referencing the individual next hop pools (each containing your specific default gateways) and SNATpools as follows: 

ltm snatpool snatpool_CLD-REN {
    members {
        185.4.25.203
    }
}
ltm snatpool snatpool_CLD-SMTP-WEB {
    members {
        217.69.24.64
    }
}

To activate SNAT for all protocols (including ICMP; by default TCP/UDP only will be SNATed) you run the following command, please: 

tmsh modify sys db snat.anyipprotocol value enable

Thanks, Stephan