Forum Discussion

valve404's avatar
Icon for Nimbostratus rankNimbostratus
Jan 21, 2022

SNAT with client and pool member on same subnet


We have sort of an aut-last-hop feature on our firewall, and the lb is placed in front of the firewall. This ensures when a client from a random vlan behind the firewall connects to a VIP, the return traffic is actually sent back via the LB thanks to the 'auto last hop' like feature, and we gerally do not have to use snat.

But, when a client and the pool member is located in the same subnet, the firewall is not involved, and thus the client drops the return packet that comes directly from the server.

I would like to create a generic irule that would work in all vips, that compares client and pool member subnet.

The more I think about it, the more impossible it seems, since when executing the irule, the pool is not yet selected?

Is it possible to do this in an irule? Or do I need a separate irule for each VIP that will receive traffic where client && pool is on the same subnet?

Thanks for insights!

2 Replies

  • You could use it in the LB_Selected event and the LB::Server event

    there is a good starting point iRule that is liek this:

    # Apply SNAT automap for clients in the subnet
       if { [IP::addr [IP::local_addr] equals] }{
          snat automap



    And looking here for the iRule event order - it shows it should work 


    1. Create a SNAT pool and add SNAT Pool members to it.

    ltm snatpool dmz1_snat {
    members {

    ltm snatpool dmz2_snat {
    members {

    2. Create a SNAT data group

    ltm data-group internal snat-dg {
    records { { dmz1_snat } { dmz2_snat }
    type ip

    3. Write iRule and apply it to virtual server

    when LB_SELECTED {
    if { [class match [LB::server addr] equals snat-dg] } {
    snatpool [class match -value [LB::server addr] equals snat-dg]
    } else {
    snat automap