Forum Discussion

valve404's avatar
valve404
Icon for Nimbostratus rankNimbostratus
Jan 21, 2022

SNAT with client and pool member on same subnet

Hi,

We have sort of an aut-last-hop feature on our firewall, and the lb is placed in front of the firewall. This ensures when a client from a random vlan behind the firewall connects to a VIP, the return traffic is actually sent back via the LB thanks to the 'auto last hop' like feature, and we gerally do not have to use snat.

But, when a client and the pool member is located in the same subnet, the firewall is not involved, and thus the client drops the return packet that comes directly from the server.

I would like to create a generic irule that would work in all vips, that compares client and pool member subnet.

The more I think about it, the more impossible it seems, since when executing the irule, the pool is not yet selected?

Is it possible to do this in an irule? Or do I need a separate irule for each VIP that will receive traffic where client && pool is on the same subnet?

Thanks for insights!

devops
iRules
snat
  • DenisG's avatar
    DenisG
    Icon for Employee rankEmployee
    Jan 25, 2022

    You could use it in the LB_Selected event and the LB::Server event

    https://clouddocs.f5.com/api/irules/LB__server.html

    https://clouddocs.f5.com/api/irules/snat.html

    there is a good starting point iRule that is liek this:

    # Apply SNAT automap for clients in the 10.10.10.0/24 subnet
when CLIENT_ACCEPTED {
   if { [IP::addr [IP::local_addr] equals 10.10.10.0/24] }{
      snat automap
   }
}

     

     

    And looking here for the iRule event order - it shows it should work https://clouddocs.f5.com/training/community/irules/html/class1/module1/iRuleEventsFlowHTTPS.html 

  • DevBabu's avatar
    DevBabu
    Icon for Cirrus rankCirrus
    Jan 28, 2022

     

    1. Create a SNAT pool and add SNAT Pool members to it.

    [SNATPOOL]
    ltm snatpool dmz1_snat {
    members {
    172.16.0.7
    172.16.0.8
    }
    }

    ltm snatpool dmz2_snat {
    members {
    172.16.1.7
    172.16.1.8
    }
    }

    2. Create a SNAT data group

    [ SNAT-DATAGROUP ]
    ltm data-group internal snat-dg {
    records {
    172.16.0.0/24 { dmz1_snat }
    172.16.1.0/24 { dmz2_snat }
    }
    type ip
    }

    3. Write iRule and apply it to virtual server

    when LB_SELECTED {
    if { [class match [LB::server addr] equals snat-dg] } {
    snatpool [class match -value [LB::server addr] equals snat-dg]
    } else {
    snat automap
    }
    }