Forum Discussion
iRules and SNAT
All,
I was wondering if I could get some assistance with an issue:
I have a rather large customer that is trying to replace several Alteon Switches, but we are having one issue. They have several servers that are multihomed with IP's on the same subnet as the Big-IP, but the resource needed is on another NIC/Subnet on that server. When packets arrive they are routed to the other NIC (Same Subnet as the BIG-IP) on the server creating an asynchronous route. Easy enough right? Add a host route? Well that breaks about 10 other apps so what I am looking for is an iRule that says when a connection is made outbound through a forwarding virtual from one server to another then use a particular SNAT. Any help on this would be greatly appreciated!!!
- JRahm
Admin
boolean logic :
if { (condition 1) && (condition 2) } {
statement 1
}
or nested if statement
if { (condition 1) } {
if { (condition 2) } {
statement 1
}
} - Local address is a given based on the virtual to which the rule is applied.
This syntax should work:
This version allows a comparison to a subnet for flexibility. (The appropriate syntax corrections have also been made on the "snat" & "snatpool" wiki pages.)when CLIENT_ACCEPTED { if {[IP::addr [IP::remote_addr] equals x.x.x.x/24] ) { snat y.y.y.y } }
But actually, you shouldn't really need a rule-- you can enable a selective SNATpool on the forwarding virtual to SNAT only the backend server address range:
Create a SNATpool:
"Translation": SNAT pool
"Origin": Address list. Add host or network address list that covers all the backend hosts that may make requests that need SNATing.
"VLAN Traffic": Enable only on the VLAN(s) hosting the origin addresses. (optional -- gives better control of SNAT)
Apply the SNAT pool created above to your wildcard VS, and it will only SNAT the listed origin addresses, letting all other traffic pass through unSNAT'd.
HTH
/deb - Deb,
Understanding that the local address is a given based on the Virtual to which the rule is applied I only need to SNAT in case a connection is made outbound from one particular host to another specific host. Let's say that 10.0.0.50 connects outbound to 172.16.30.113 I would need to snat the 10.0.0.50 address to 192.168.1.50. Unless that criteria is met I do not need to SNAT at all.
Please let me know if that clairifies.
Thanks, Jason. - Interesting twist -- I've never had to SNAT on specific destination IPs through a forwarding virtual server (no defined local address, and the destination addresses are not local objects either.)
To match only specific source IPs, you can create the SNATpool with the same origin filter as above.
To limit the SNAT to only specific destination IPs, I'm thinking the rule would be something like:
(I'm not 100% certain which IP command would pick up the destination address passing through a forwarding virtual. I'm guessing that it must be "local_addr", but I don't have a way to test a forwarding virtual, so I added a log line to help figure that out.)when CLIENT_ACCEPTED { log local0. "Local address is [IP::local_addr]" if {[IP::addr [IP::local_addr] equals x.x.x.0/24] ) { snatpool mySNATpool } }
You can use a class of type network to list the destination addresses which are SNAT candidates:class BounceBackSNAT { "x.x.x.a" "z.z.x.0 netmask 255.255.255.0" } when CLIENT_ACCEPTED { if {[IP::addr [IP::local_addr] equals $::BounceBackSNAT] ) { snatpool mySNATpool } }
Does that sound more like what you were going for?
/deb
