Forum Discussion

Nimbostratus

Aug 05, 2015

SNAT iRule based on client IP address

Hi All, I am looking for an Irule on a virtual server to use a different snatpool based on the actual client ip address and this has to scale up to multiple different clients(around 50 to 100) ...

Patrik_Jonsson

MVP

Aug 05, 2015

I'd use data group lists for easier administration.

You need to create the data group lists (type address) SNATPOOLXCLIENTS, SNATPOOLYCLIENTS and SNATPOOLZCLIENTS first, and populate them with the ips/networks of the clients.

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals SNATPOOLXCLIENTS] } {
        snatpool SNATPOOLX 
    } elseif { [class match [IP::client_addr] equals SNATPOOLYCLIENTS] } }{
        snatpool SNATPOOLY
    } elseif { [class match [IP::client_addr] equals SNATPOOLZCLIENTS] } }{
        snatpool SNATPOOLZ
    }
}

May I ask if you're using different data group lists because of firewall reasons (what's being allowed where) or for network topology reasons?

Otherwise you could just add all the addresses in SNATPOOLX, SNATPOOLY and SNATPOOLZ into one snatpool and configure that on the virtual server. Then the LTM would automatically choose an IP matching the LAN it sends out the packet to.

/Patrik

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)