Forum Discussion
itchamp_105348
Nimbostratus
NimbostratusiRule uncertainty
Hi, I have a pair of F5's that load balance servers from the public and internal network.
I wish to snat the nodes return traffic (hide) to the vip that was used to access them, i.e. the internal users see a different vip to the public users.
The way I see it, I apply iRules to the VIP, but I cannot do this as it is outbound from the nodes I wish to SNAT, not inbound to them.
The only other way I can see to do this is by having forwarding turned on ??? which again I do not wish to do.
Can anyone help me out here, is what I am wanting to do possible with irules ???
Many thanks
1 Reply
Mark_Harris_608Cirrus
I suspect you can do something in an iRule, but I'm not sure why you would want to in this case. What you've described (if I understand your need) already happens by default.
When you access a VS, the return traffic (by default, no SNAT required) returns with the source address of the VS that was first requested. If you enable SNAT, then the source address is changed to the SNAT address on from the server perspective, but the return traffic still assumes the VS address originally accessed.
When you initiate (a very important distinction) traffic from the server, the SNAT is required to allow that traffic outbound - the VS alone will not allow traffic to be initiated from servers on the internal side of BIG-IP without it or a VS of some kind on the internal VLAN at a minimum.
So, in your case, instead of using something like SNAT AutoMap where the source address of outbound traffic will be the BIG-IP SelfIP address, make the translation address of the standard SNAT enabled on the internal VLAN the same address as the VS address, then traffic inbound and outbound will assume the same destination and source address for clients on the external VLAN of BIG-IP.
