For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

FaridLahdiri_29's avatar
FaridLahdiri_29
Icon for Nimbostratus rankNimbostratus
Oct 16, 2015

Snat irule based on client destination ip failing

Hi all,

 

On LB (version 11.4.1) I have the below simplied config. On my backend server I do:

 

telnet 60.60.60.60 80

On my LG:

 

tail -f /var/log/ltm

Oct 16 15:02:56 lb-00 info tmm1[10802]: Rule /Common/rr_snat_irule : CLient Connected: local_addr IP address = 60.60.60.60 Oct 16 15:02:56 lb-00 info tmm1[10802]: Rule /Common/rr_snat_irule : No snat required

 

==== simplified config ========= ltm data-group internal /Common/DG2 { records { 50.50.50.0/24 { data net2 } 60.60.60.0/24 { data net1 } } type ip } ltm rule /Common/rr_snat_irule { when CLIENT_ACCEPTED { log local0. "CLient Connected: local_addr IP address = [IP::local_addr]" if {[class match [IP::client_addr] equals DG2 ]} { log local0. "use snat ip 1.1.1.1" } else { log local0. "No snat required" } } } ltm virtual /Common/snat_out_vs_80 { destination /Common/0.0.0.0:80 ip-protocol tcp mask any profiles { /Common/tcp { } } rules { /Common/rr_snat_irule } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/TRAFFIC } vlans-enabled }

 

Any insight will appreciated. /Farid

 

application delivery
design
devops
iRules
LTM

2 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Oct 16, 2015

    Hi!

     

    Try using [IP::local_addr] instead of [IP::client_addr] when matching IP's against the date group list. Client_addr would be the source ip of the tcp session you establish in your example.

     

    Also, please try to use the preformatted code option as it makes it so much easier to read your config.

     

    Cleaned it up for you a bit in case someone else wants to check it out too:

     

    ltm data-group internal /Common/DG2 { 
    records { 
        50.50.50.0/24 { data net2 } 
        60.60.60.0/24 { data net1 } 
    } 
    type ip 
} 
ltm rule /Common/rr_snat_irule { 
    when CLIENT_ACCEPTED { 
        log local0. "CLient Connected: local_addr IP address = [IP::local_addr]" 
        if {[class match [IP::client_addr] equals DG2 ]} { 
            log local0. "use snat ip 1.1.1.1" 
        } else { 
            log local0. "No snat required" 
        } 
    } 
} 
ltm virtual /Common/snat_out_vs_80 { 
    destination /Common/0.0.0.0:80 
    ip-protocol tcp 
    mask any 
    profiles { 
        /Common/tcp { } 
    }
    rules { 
        /Common/rr_snat_irule 
    } 
    source 0.0.0.0/0 
    translate-address disabled 
    translate-port disabled vlans { /Common/TRAFFIC } 
    vlans-enabled 
}

    If all you want to do is to route packets from VLAN's behind the load balancer I suggest checking out forwarding virtual servers instead of the normal ones.

     

    /Patrik