I have a LTM-setup (10.0.1) with a SNAT Pool containing 5 ip addresses. So each connection uses the next SNAT address (round robin).
But for persistent connections (source persistence), i'd like the LTM to use always the same SNAT address, and not to change it during the session. Otherwise some of my applications have problems with session management...
Is there a way to configure the SNAT pool in a way that persistent connection always keep their SNAT address?
Do you think mapping the source IP address to a SNAT IP would work for you (assign 1/x IP addresses to one SNAT IP)? If so, I can put together an example. Else, the UIE session persistence method would take a bit longer to give an example for.
23-Nov-200907:29 - last edited on 31-May-202314:13 by JimmyPackets
Something like this maybe...
when CLIENT_ACCEPTED {
Create some snat name to IP variables
set snat0_ip 1.1.1.1
set snat1_ip 2.2.2.2
set snat2_ip 3.3.3.3
set snat3_ip 4.4.4.4
set snat4_ip 5.5.5.5
Test with a dummy client IP address
set client_ip "10.11.12.13"
log local0. "\$client_ip: $client_ip"
Scan the dummy IP address for each octet
scan $client_ip {%[0-9].%[0-9].%[0-9].%[0-9]} a b c d
log local0. "result: \[expr {$c % 5}\]: [expr {$c % 5}]"
Use modulus 5 on the third octet
log local0. "Snat command: snat [set "snat[expr {$c % 5}]_ip"]"
Apply the SNAT IP to this connection
snat [set "snat[expr {$c % 5}]_ip"]
}
Once you're done testing, you can replace the $client_ip variable with [IP::client_addr]. You could also experiment with using a datagroup to store the SNAT addresses or maybe an array.
23-Nov-200908:16 - last edited on 31-May-202314:13 by JimmyPackets
Actually, it looks like getfield is a lot more efficient for this compared with scan. So you could replace the scan command with getfield:
when CLIENT_ACCEPTED {
Use a local array to configure the 5 SNAT addresses
set snat_ips(0) 1.1.1.1
set snat_ips(1) 2.2.2.2
set snat_ips(2) 3.3.3.3
set snat_ips(3) 4.4.4.4
set snat_ips(4) 5.5.5.5
Use getfield to parse the third octet from the client IP address
Get the modulus of the third octet against the number of the SNAT IPs in the array
set snat_number [expr {[getfield [IP::client_addr] "." 3] % [array size snat_ips]}]
log local0. "Client IP: [IP::client_addr], SNAT number $snat_number, SNAT IP: $snat_ips($snat_number)"
Apply the SNAT
snat $snat_ips($snat_number)
}
You could use this specific SNAT rule on any VIP where you want to "persist" clients with the same SNAT IP over multiple connections. The more general default SNAT would take lower precedence than SNAT called from an iRule. So you could leave the default SNAT enabled for any other VIP which you don't need to use the same SNAT pool IP for each client.
I figured out that using a hash on the full client IP should give a better distribution across the SNAT addresses compared with using getfield to parse a single octet. The CPU usage is virtually the same as getfield. The rule is here:
I thought crc32 might give better distribution but be lighter weight than the binary and format commands. But I haven't compared to see which is more efficient. Anyhow, more options are better than less 🙂
I know this post is very old , but i got into the same issue but the internet search for the irule has landed over here.
My goal is to match client IP to SNAT (one to one mapping). I found an irule, but that is very long (manual typing and for bigger subnet cannot apply since that will be longer than 65536 characters which irule can take).
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 172.16.56.10/32] }{ snat 172.16.56.10 } if { [IP::addr [IP::client_addr] equals 172.16.56.11/32] }{ snat 172.16.56.11 } if { [IP::addr [IP::client_addr] equals 172.16.56.12/32] }{ snat 172.16.56.12 } . . . . "and till all the one to one mapping" }
However, this is not useful for longer subnets. Is there a way to match the third and last octect of the IP of the client to SNAT IP. The above irule shows about the thrid octect only , is there a way to match 3rd and 4th octect?
