Disabling SNAT on wildcard forwarding VS
I have 3 VLANs on my LTM 11.2 boxes: outside, dmz (where web servers live) and inside (where app servers live). To prevent hairpin issues, I enabled snat auto_map on the dmz & inside VLANs but not on outside (so I can track unique hits, etc). To avoid needlessly SNATing traffic bound for the Internet (through a separate firewall), I put an iRule on the forwarding VS with one command: snat none. It works for most traffic but a significant amount comes through with the outside VLANs float... it's still getting snat auto_mapped.
It's mostly pings from our NMS but the annoying ones are the DHCP replies for our "guest" VLAN (the firewall is the DHCP relay for them). They come in with the firewall's address on the outside VLAN (from the F5 perspective) but the DHCP server replies to the guest interface's address... so no UDP "session" match. When the packets return to the firewall SNATed with the F5's address, it rejects them... that's not who it sent the DHCP request to.
I'm stumped... here's the config:
ltm snat /Common/snat_automap {
ltm virtual /Common/wildcard-all {