Selective SNAT based on server network

This is a selective SNAT based on the server that is selected.

 

There are servers on multiple subnets and BIGIP is also connected to these networks.

 

 

Since the BIGIP is NOT the default GW for these networks, all traffic that is sent to the server from the BIGIP need to SNAT'd in order for load balancing to work.

 

 

We need the SNAT address to be on the same subnet as the sever. Then use a default SNAT if the BIGIP does not have a directly connected self IP address on the same network.

 

 

Thanks.

Here's an example of matching single hosts. This has not been tested, but passes the syntax checker on version 9.1.2.

class snat_map {
  "192.168.168.10 dmz192.168.68_SNAT"
  "192.168.170.10 dmz192.168.70_SNAT"
}
when LB_SELECTED {
   set local_subnet_snat [findclass [LB::server addr] $::snat_map " "]
  if { $local_subnet_snat ne "" } {
    snatpool $local_subnet_snat
  }
}

I'm running version 9.4.0.

 

I tried a this rule and can't get it to work. When I run a tcpdump, no snatting is taking place.

 

 

Any other suggestions on how to troubleshoot this? I'm not seeing anything in the /var/log/ltm file. Thank you.

You're right. That wasn't working! I'm wondering if the connection is already begun in the LB_SELECTED event. Doing an LB::detach seems to have fixed things:

when LB_SELECTED {
  set dst_server [LB::server addr]
  LB::detach
  pool [LB::server pool] member $dst_server
  set local_subnet_snat [findclass $dst_server $::snat_map " "]
  log local0. "Local Server $dst_server, Snatpool $local_subnet_snat"
  if { $local_subnet_snat ne "" } {
    snatpool $local_subnet_snat
  }
}

Thanks it is working, but I did have issues. I was seeing the following messages in the /var/log/ltm file.

 

 

Rule SelectiveSNATServers_V2 : Local Server 127.0.0.1, Snatpool

 

 

The reason was that I have the Web Accelerator Module (WAM) module enabled on that virtual server. I removed WAM from the VS and it is now working.

 

 

Questions:

 

* Why did you need to do a LB::detach?

 

* Why is this line of code needed? [ pool [LB::server pool] member $dst_server ]

 

* Is there a way to use this iRule and WAM at the same time?

 

 

Thank you. Really appreciate the responses you have provided.

 

The developers could probably be more precise in responding, but the behavior without the LB::detach indicated to me that the server side connection had already begun at the LB_SELECTED event. If that's the case, then I can no longer change my source IP, which is why I issued the LB::detach. This could be faulty logic, though.

 

 

Since I was detaching the connection, I wanted to make sure I re-attached to the same server, which is why I used the pool [LB::server pool] member $dst_server line. Without this line, detaching would kick off another load balancing decision, which may or may not impact your snat selection. As I've become more comfortable with iRules, I've tried to make the rules as generic as possible so I can reuse them on different virtuals or systems with as little rework as possible.

 

 

I have no idea on your third question. I haven't convinced my employer that I need the web accelerator yet, so I have no experience with that piece.

BTW, the reason it wasn't working with WAM on the surface is because the value returned by [LB::server addr] is a loopback, which probably isn't defined in your class. I'm not sure how this would be handled.

Thank you very much citizen_elah.

 

 

I think F5 will have to examine how BIGIP modules will impact iRules.