Forum Discussion
Dan_Williams_25
Nimbostratus
NimbostratusSelective SNAT iRule
Apologize if this has already been posted.
I recently upgraded to a pair of 6400s that are running v.9.0.5. During the days of 4.5.x, I was able to utilize a "Selective SNAT" rule of sorts that allowed me to manipulate when a private network, 10.x, would SNAT and not-SNAT.
Here is the original 4.5.x rule:
if (client_addr == 10.0.35.0 netmask 255.255.255.0 and (server_addr == 192.168.1.0 netmask 255.255.255.0 or server_addr == 172.16.1.0 netmask 255.255.0.0 or server_addr == 10.0.1.0 netmask 255.255.255.0)) {
use pool Forwarding_Pool_NoSNAT
}
else {
use pool Forwarding_Pool
}
I've done some digging and setup some preliminary iRules that would seem to work, but don't. I'd appreciate it if an engineer could help me out.
Regards,
Dan
6 Replies
- This is certainly something that's possible in v9.x. Here's a good post that shows a rule doing what you're talking about:Click here
Basically, your syntax would use this form:when CLIENT_ACCEPTED { if {([IP::addr "[IP::local_addr]/24" equals "10.0.35.0/24"]) and ([IP::addr "[IP::remote_addr]/24" equals "192.168.1.0/24"])} { use snatpool } else { use normal_pool } } Hope this helps. -Colin - That's probably not quite what you want. Maybe something like this:
when CLIENT_ACCEPTED { if { not ([IP::addr [IP::remote_addr] equals "10.0.35.0/24"] and ([IP::addr [IP::local_addr] equals "192.168.1.0/24"] or [IP::addr [IP::local_addr] equals "172.16.1.0/24"] or [IP::addr [IP::local_addr] equals "10.0.1.0/24"])) } { snatpool mysnats } pool forwarding_pool }
Note: as of 9.0.5, you no longer need to specify the mask on both arguments (it will correctly use the shortest mask). 
Dan_Williams_25I appreciate the responses.
I'd like to clarify the architecture a bit.
The 10.0.35/24 network is a "node" network that lives behind the BigIP. I originally had an "automap" SNAT created with the associated 10.0.35/24 network within the origin-list and only allowed on that particular VLAN. I have a "forwarding_virtual" enabled to allow routing through the BigIP for node monitoring.
With the "automap" applied and the first rule applied to the "forwarding_virtual" connectivity begins failing, so I'd revert.
The second rule has a "not" statement and seems backwards, so I'm not sure if I want to throw that in.
I currently have this:
when CLIENT_ACCEPTED {
if {([IP::addr [IP::local_addr] equals "10.0.35.0/24"]) and ([IP::addr "[IP::remote_addr]" equals "216.49.80.0/20"])} {
use snat none
} else {
use snat
}
}
This seemed to break things as well.
I'm missing something. I was originally was using "client_addr" and "server_addr", but it has since changed to "local_addr" and "remote_addr". Is this correct.
During the 4.5.x days, there was the idea of a forwarding_pool which seems to have gone away--or has it?
Appreciate the help.
-dan- Dan_Williams_25I see what you're rule is saying now. I'm going to give that a try.
I should have elaborated a bit on the "breaking". Basically, there is a database that resides outside of the load-balanced environment. The nodes need access to the DB, but the connectivity is not load-balanced--hence one of the reasons for the forwarding virtual.
Really, I just want the nodes within a spefici network space to be able to go outside of the load-balancer while retaining their origin-IP when hitting specific networks, but for everything else outside of these specific networks--like the Internet, I want them to be SNAT'd.
I tried support first, but they basically sent me an email that suggested they can not help me with iRules and I must submit here.
I can send the complete config if need be. Let me know if that's a possibility.
Thanks for your help.
-dan - Dan_Williams_25Forgot the "breaking" part. Basically, connectivity between the nodes and the database begins to fail. In fact, it begins to fail for other nodes that are on other VLANs as well.
- Dan_Williams_25It's been a while, but I was finally able to catch up and try a few things out.
UnRuleY: The sample iRule you provided did work and solved the general problem, though for some reason, I had a problem adding additional source networks, so I ended up with the following:
snatpool snatpool.192.168.2.1 {
member 192.168.2.1
}
virtual forwarding_virtual {
destination any:any
ip forward
profile custom.fastL4.noreset
rule snat.rule
}
rule snat.rule {
when CLIENT_ACCEPTED {
if {([IP::addr [IP::remote_addr] equals "10.32.0.0/24"] and ([IP::addr "[IP::local_addr]" equals "192.168.1.0/24"] or [IP::addr "[IP::local_addr]" equals "172.31.1.0/24"] or [IP::addr "[IP::local_addr]" equals "10.0.1.0/24"]))} {
snat none
}
elseif {([IP::addr [IP::remote_addr] equals "10.64.0.0/24"] and ([IP::addr "[IP::local_addr]" equals "192.168.1.0/24"] or [IP::addr "[IP::local_addr]" equals "172.31.1.0/24"] or [IP::addr "[IP::local_addr]" equals "10.0.1.0/24"]))} {
snat none
}
else {
snatpool snatpool.192.168.2.1
}
}
}
In this instance, the source node networks are the 10.32.0/24 and 10.64.0/24 and the remote networks that we do not want to SNAT to are the 192.168.1/24, 172.31.1/24, and 10.0.1/24 networks--everything else is SNAT'd. The rule is applied to the forwarding_virtual--which is required for IP forwarding. The snatpool seems to be a much cleaner way to adding SNAT without applying a physical SNAT to a particular interface.
Thanks for the help.
-d
