Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

SNAT with client and pool member on same subnet

valve404
Nimbostratus
Nimbostratus

‎21-Jan-2022 03:40

Hi,

We have sort of an aut-last-hop feature on our firewall, and the lb is placed in front of the firewall. This ensures when a client from a random vlan behind the firewall connects to a VIP, the return traffic is actually sent back via the LB thanks to the 'auto last hop' like feature, and we gerally do not have to use snat.

But, when a client and the pool member is located in the same subnet, the firewall is not involved, and thus the client drops the return packet that comes directly from the server.

I would like to create a generic irule that would work in all vips, that compares client and pool member subnet.

The more I think about it, the more impossible it seems, since when executing the irule, the pool is not yet selected?

Is it possible to do this in an irule? Or do I need a separate irule for each VIP that will receive traffic where client && pool is on the same subnet?

Thanks for insights!

Labels:
0 Kudos
2 REPLIES 2

DenisG
F5 Employee
F5 Employee

‎25-Jan-2022 10:29

You could use it in the LB_Selected event and the LB::Server event

https://clouddocs.f5.com/api/irules/LB__server.html

https://clouddocs.f5.com/api/irules/snat.html

there is a good starting point iRule that is liek this:

# Apply SNAT automap for clients in the 10.10.10.0/24 subnet
when CLIENT_ACCEPTED {
   if { [IP::addr [IP::local_addr] equals 10.10.10.0/24] }{
      snat automap
   }
}

 

 

And looking here for the iRule event order - it shows it should work https://clouddocs.f5.com/training/community/irules/html/class1/module1/iRuleEventsFlowHTTPS.html 

0 Kudos

DevBabu
Cirrus
Cirrus

‎28-Jan-2022 10:51 - edited ‎28-Jan-2022 10:52

 

1. Create a SNAT pool and add SNAT Pool members to it.

[SNATPOOL]
ltm snatpool dmz1_snat {
members {
172.16.0.7
172.16.0.8
}
}

ltm snatpool dmz2_snat {
members {
172.16.1.7
172.16.1.8
}
}

2. Create a SNAT data group

[ SNAT-DATAGROUP ]
ltm data-group internal snat-dg {
records {
172.16.0.0/24 { dmz1_snat }
172.16.1.0/24 { dmz2_snat }
}
type ip
}

3. Write iRule and apply it to virtual server

when LB_SELECTED {
if { [class match [LB::server addr] equals snat-dg] } {
snatpool [class match -value [LB::server addr] equals snat-dg]
} else {
snat automap
}
}

0 Kudos
Copyright © 2023 Khoros, LLC