Forum Discussion
Looking for an iRule that will take the same IP from SNAT Pool as that of the source IP.
I am confused with your goals. There is no need for K18487629 unless you have to route NA traffic to a different gateway than the one followed by default without K18487629. You didn't mention what is exactly your design objective. If you only need to retain the client lease source IP, then there is no need for K18487629 nor for the iRule, you only disable SNAT and configure the routing on your network to route traffic destined to lease pool subet through F5.
- ZANOOBSep 07, 2023
Cirrus
That is correct, that is what I thought too.
It did not work (disabled SNAT and added static route), simple way of adding a route and sending traffic to a specific IP/gateway when SNAT is disabled. It did not work with client VPN traffic. Normal traffic it worked, but with client VPN traffic it was not forwarding the traffic using the routing table.
Hence, opened a ticket with support and they confirmed if I needed to send the CL VPN to a specific gateway i had to follow the KB article. Once I configured using the KB, it was sending the traffic to the gateway (however, had to enable SNAT there).
My goal is simple: CL VPN clients' packets to be forwarded to a gateway and to retain the source IP.
Methods tried:
1. SNAT disabled, used static route to forward traffic ( Does not work for VPN client traffic).
2. Followed KB as per support, however only works with SNAT enabled (SNAT disabled it does not work, have raised a ticket with support for the same and they are in touch with the engineering team to add a feature).
Workaround:
1. Add the SNAT pool IP (to the virtual server) same subnet as of lease IP ( however, the SNAT pool IP will not be the same as Client VPN IP).
2. Add irule in place to match with the current CL VPN client IP to a SNAT IP ( I am using this at the moment and it works . Confirmed with logs). The irule in place is
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.16.50.1/32] }{snat 172.16.50.1}
if { [IP::addr [IP::client_addr] equals 172.16.50.2/32] }{snat 172.16.50.2}
if { [IP::addr [IP::client_addr] equals 172.16.50.3/32] }{snat 172.16.50.3}
if { [IP::addr [IP::client_addr] equals 172.16.50.4/32] }{snat 172.16.50.4}
if { [IP::addr [IP::client_addr] equals 172.16.50.5/32] }{snat 172.16.50.5}
if { [IP::addr [IP::client_addr] equals 172.16.50.6/32] }{snat 172.16.50.6}}
But the above irule i have to create for every IP i got to match it to an SNAT IP.
Is there a logical irule to match the third and fourth octet of the client IP to the SNAT IP?
Regards,
Zanoob
- Amine_KadimiSep 07, 2023
MVP
Have you tried something like:
set client_addr [IP::client_addr] snat $client_addr
- ZANOOBSep 12, 2023
Cirrus
i am using at the moment
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.16.50.1/32] }{snat 172.16.50.1}}
But i had to manually add for 50.1/32 till 52.254/32 .
The one you mentioned, only works for a subnet. The requirement is to map the third and last octet of the SNAT IP to be the same as the client IP.
at the moment all works, only problem is that i had to manually add all that entries.
Was looking for a logical irule where SNAT IP can be matched to client IP.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com