For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

reen_sc_140631's avatar
reen_sc_140631
Icon for Nimbostratus rankNimbostratus
Mar 05, 2014

SMTP, SNAT via irule

Hello Community,

I need your help for the following issue. The issue concering about SMTP and SNAT (the F5 should be the default GW in the mail server network, because of to see native client IP adresses on the mail servers).

network mail server: 172.10.10.0/24

local networks: 10.0.0.0/8 and 192.168.0.0/24

172.10.10.0/24

||

|F5| ==> pub Internet

||

10.0.0.0/8 and 192.168.0.0/24

when CLIENT_ACCEPTED 
    if { [class match [IP::remote_addr] not equal /partition_xy/dg_local_networks] } {
        SNAT of 172.10.10.x to 93.90.100.20
    }

Can someone tell me the correct SNAT function in my short iRule? Side information: The iRule should replace the original ip address (172.10.10.x) if the destination ip address is none of my internal networks.

For normal access between 172.10.10.0/24 and the internal networks I'll add wildcard vServers with type Forwarding (IP) for both sides. To reach the Mail Servers in 172.10.10.0/24 there is an listener e.g. 10.1.1.1:25 on the internal side of the f5.

It's possible to realize that?

Thanks in advance!

application delivery
devops
iRules
LTM

3 Replies

  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Mar 05, 2014

    As for me, your configuration is excessive. May be it will be better (only if you need separate internal and external smpt traffic): 1. Create smtp VS directed to the pub Internet. For this VS create SNAT without using of irule. 2. Create smtp VS directed to internal LAN. All smtp VS can use the same nodes.

     

  • reen_sc_140631's avatar
    reen_sc_140631
    Icon for Nimbostratus rankNimbostratus
    Mar 05, 2014

    Hello, thanks for your answer but it seems not suitably for my issue (or I don't understand your answer)

     

    I'll give you more information about that.

     

    The mail relay server for the internal mail clients is 10.1.1.1 (smtp.office.local). The F5 performs a loadbalancing to 172.10.10.10 or 172.10.10.20 (pool members).

     

    The next step is, one of those mail servers creates a "new" outgoing smtp connection to any public mail server. The mail servers default GW is 172.10.10.1 (F5 floating IP). In this case the F5 have to perform an Source NAT to deliver the mails.

     

    That mean to following for outgoing traffic of 172.10.10.0/24:

     

    1. to deliver an e-mail or other non local traffic => source NAT
    2. receive any other traffic to the internal networks => no soure NAT

    additionally... In my case the F5 replaces an firewall or router between the external network and the internal networks so I need to perform an normal IP Forwarding between those networks. I've read F5 can't forward IP packets by default (full proxy) and the recommended option is point 3

     

    3 . wildcard vServers with type Forwarding (IP) for both sides ???

     

    How can I realize that??? Other Suggestions are welcome

     

    Thanks a lot