Forum Discussion

blahblahdab1ah_'s avatar
blahblahdab1ah_
Icon for Nimbostratus rankNimbostratus
Jul 07, 2016

Selective SNAT problem

I have a node in a pool trying to reach a virtual server that references the same pool. Using the code below does work with one caveat: the node in the pool can only reach itself.

 

If the service on the node is disabled, the connection wont get made.

 

Basically I need it to load balance between the other nodes in the pool in case the service on the node gets compromised. Here is where I pulled the general code.

 

Specifically, this portion:

 

" And another option for using SNAT only if the client IP is a node in the pool:

 

when CLIENT_ACCEPTED { Check if the client IP address is a node in the VIP's default pool if {[matchclass [IP::client_addr] equals [active_nodes -list [LB::server pool]]]}{

 

  log local0. "SNAT'ing for [IP::client_addr], member of pool [LB::server pool]"
  snat automap

} }"

 

Thanks!

 

  • This is the version that worked in this scenario:

     

    when LB_SELECTED {

     

    if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {

     

    snat automap } }

     

    Thanks for the help!

     

  • Let's take a packet capture.

     

    tcpdump -ni 0.0:nnnp -s0 -w /var/tmp/snat.pcap host -vvv

     

  • This is the version that worked in this scenario:

     

    when LB_SELECTED {

     

    if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {

     

    snat automap } }

     

    Thanks for the help!