Forum Discussion

clowe_16759's avatar
clowe_16759
Icon for Nimbostratus rankNimbostratus
Nov 07, 2007

iRule to SNAT Server

I am very inexperienced in writing iRules.

 

Background: there are virtual severs that serve our web servers and virtual servers that serve our database server. The Web and DB servers are on different VLANs and the layer-3 switch will be in between the servers and the LTM.

 

The web servers connect to the Database servers via the virtual servers on the inside interface of the LTM. I know that a SNAT is needed to prevent bounce back issues. The problem is that I would like to be able to provide statistics and troubleshoot issues and know which web server/s are talking to the Data base server/s and a many to one SNAT would prevent this.

 

 

Idea solution: create an iRule such that any connections from the web VLAN gets SNAT'ed to a particular IP Address for each host from the web VLAN defined in a pool, when connecting to a DB virtual server. Essentially automatically making a one to one SNAT without having to define on every time a new web host is brought on line.

 

 

If this is confusing sorry, I am a little confused myself.
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 09, 2007
    If you have a spare IP address per client you will be SNAT'ing, you could create a datagroup (type: string) with the client IP and SNAT IP. When a client request is received, you could search the class using findclass and look up the corresponding IP you want to SNAT with. You can then use the snat command to apply it.

    citizen_elah added a good example using a similar scenario a while back (Click here).

    You could adapt that like this using a class with the client IP first, followed by the IP you want to translate it to:

    
class snat_map {
  "1.1.1.1 1.1.2.1"
  "1.1.1.2 1.1.2.2"
  "1.1.1.3 1.1.2.3"
  "........ ......"
}

    And then a rule which performs the SNATing:

    
when CLIENT_ACCEPTED {
   set snat_ip [findclass [IP::client_addr] $::snat_map " "]
   if { $snat_ip ne "" } {
      snat $snat_ip
   } else {
       client IP wasn't found in the class, so use a default SNAT address
      snat 2.2.2.2
   }
}

    Aaron
  • clowe_16759's avatar
    clowe_16759
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2007
    Quick question it appears to me that the configuration above is for a static mapping between a source address and a SNAT address. Is this done dynamically, or does the class map need to defined on a one to one basis. Just trying to avoid having to many working parts to the SNAT set up.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 14, 2007
    I'm not sure I understand your question completely.

     

     

    For the example I gave, you would need to designate one IP address per client that you want to perform source address translation to. You would create the datagroup to map the client IP to its designated translation IP. Once you add the rule to the DB VIP, the translation would be done for those specific client IP addresses to their corresponding SNAT addresses.

     

     

    Does this answer your question? If not, can you clarify?

     

     

    Thanks,

     

    Aaron