For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

valve404's avatar
valve404
Icon for Nimbostratus rankNimbostratus
Jan 21, 2022

SNAT with client and pool member on same subnet

Hi,

We have sort of an aut-last-hop feature on our firewall, and the lb is placed in front of the firewall. This ensures when a client from a random vlan behind the firewall connects to a VIP, the return traffic is actually sent back via the LB thanks to the 'auto last hop' like feature, and we gerally do not have to use snat.

But, when a client and the pool member is located in the same subnet, the firewall is not involved, and thus the client drops the return packet that comes directly from the server.

I would like to create a generic irule that would work in all vips, that compares client and pool member subnet.

The more I think about it, the more impossible it seems, since when executing the irule, the pool is not yet selected?

Is it possible to do this in an irule? Or do I need a separate irule for each VIP that will receive traffic where client && pool is on the same subnet?

Thanks for insights!

devops
iRules
snat

2 Replies

  • DenisG's avatar
    DenisG
    Icon for Employee rankEmployee
    Jan 25, 2022

    You could use it in the LB_Selected event and the LB::Server event

    https://clouddocs.f5.com/api/irules/LB__server.html

    https://clouddocs.f5.com/api/irules/snat.html

    there is a good starting point iRule that is liek this:

    # Apply SNAT automap for clients in the 10.10.10.0/24 subnet
when CLIENT_ACCEPTED {
   if { [IP::addr [IP::local_addr] equals 10.10.10.0/24] }{
      snat automap
   }
}

     

     

    And looking here for the iRule event order - it shows it should work https://clouddocs.f5.com/training/community/irules/html/class1/module1/iRuleEventsFlowHTTPS.html 

  • DevBabu's avatar
    DevBabu
    Icon for Cirrus rankCirrus
    Jan 28, 2022

     

    1. Create a SNAT pool and add SNAT Pool members to it.

    [SNATPOOL]
    ltm snatpool dmz1_snat {
    members {
    172.16.0.7
    172.16.0.8
    }
    }

    ltm snatpool dmz2_snat {
    members {
    172.16.1.7
    172.16.1.8
    }
    }

    2. Create a SNAT data group

    [ SNAT-DATAGROUP ]
    ltm data-group internal snat-dg {
    records {
    172.16.0.0/24 { dmz1_snat }
    172.16.1.0/24 { dmz2_snat }
    }
    type ip
    }

    3. Write iRule and apply it to virtual server

    when LB_SELECTED {
    if { [class match [LB::server addr] equals snat-dg] } {
    snatpool [class match -value [LB::server addr] equals snat-dg]
    } else {
    snat automap
    }
    }