For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

liccccboeh_3569's avatar
liccccboeh_3569
Icon for Nimbostratus rankNimbostratus
Mar 27, 2018

wildcard VS and SNAT

Hey! I'm trying to write a SNAT irule for a wildcard virtual server(Forwarding IP), so if it's RFC1918 address don't do snat and when it's any other then snat outside interface float ip. The F5 "s...
application delivery
iRules
LTM
crodriguez's avatar
crodriguez
Ret. Employee
Mar 27, 2018

Certainly the solution you are trying to achieve is possible. Your current approach needs some tweaking though in order to get it to work. You cannot make a comparison of a raw IP address with a network address range without incorporating the IP::addr command. For example [IP::addr [IP::client_addr] equals 10.0.0.0/8] checks to see if the client's IP address is in the 10.0.0.0/8 network. It will probably be easier to do this check from an IF statement rather than a SWITCH. Something like this perhaps:

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] ||
         [IP::addr [IP::client_addr] equals 172.16.0.0/12] ||
         [IP::addr [IP::client_addr] equals 192.168.0.0/16] } {
        snat none
    } else {
        snat 8.8.8.8
    }
}