selective snat
4 TopicsSelective SNAT
Hello, I have a VIP on port 53, all-protocols, fastL4 profile, snat none. The VIP is working OK, but I want to do snat for a specific network. I have tried with that iRule: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.64/26] } { snat 10.10.10.65 } } But for some reason the snat is not working... The software is 10.2.4 HF7 and I have multiple route domains. Any suggestions?255Views0likes1CommentApply conditional SNATPOOL
Hello all! I am with a issue of SNAT. My pool have pool-members from differents subnets. I need apply SNAT 10.100.2.253 when the choosen pool-members are from network 10.100.2.0/24 and the SNAT 172.26.160.71 to pool-members from network 10.100.6.64/27. Are there a native configuration on BIG-IP 11.6. to solve this issue or do i need to apply an irule for this ? I wrote two option of irules, but idon't know if is correct. Data group with ip address from network 10.100.6.64/27: ltm data-group internal DGROUP-THS { records { 10.100.6.64/27 { } } type ip SNATPOOL when poolmember 10.100.6.x are chosen: ltm snatpool SNAT_THS { members { 172.26.160.71 } } SNATPOOL when poolmember 10.100.2.x are chosen: ltm snatpool SNAT_DEFAULT { members { 10.100.2.253 } } 1° Option irule: when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals DGROUP-THS]} { snatpool SNAT_THS } else { forward } } } 2° Option irule: when LB_SELECTED { if { [class match [LB::server addr] equals DGROUP-THS]} { snatpool SNAT_THS } else { forward } } And for two irule the snatpool SNAT_DEFAULT is set on virtual server.223Views0likes1CommentIP Forwarding Virtual Server v/s SNAT
Trying to understand the difference between the two. Can either one of them be used for forwarding traffic from load balanced nodes (private addresses) to the internet? We have LTMs in an HA pair that are configured with both a wildcard IP forwarding vserver and a SNAT pool (containing standard virtual server addresses). An irule is being used on the forwarding vserver that SNATs a node to its public standard vserver address for anything originating from the node and destined to a host on the internet. From what i understand, LTM can forward traffic (from nodes to the internet) only using a IP forwarding vserver. That is the closest way to emulate the same behavior as a stateless router, which works just fine for now. I'd like to know if SNAT is another way to do the same (forwarding). If it is, can we delete the forwarding vserver and only configure a SNAT object, and still make the internal nodes connect to the internet through the LTM? Would also like to get an opinion on keeping standard vserver addresses inside a SNAT pool, so that individual SNAT addresses can be referenced in an irule for selectively SNAT'ing a set of nodes to their vserver address. We recently did this, and traffic from the internal nodes (mail servers specifically) to certain destinations just didn't work. We have done a lot of packet captures and are still clueless. Any explanation or config pointers would be great. Thank you!1.4KViews0likes20CommentsLog server on in-line network
I am running an inline model in my f5 environment. One external network for VS, one internal for nodes. Everything is fine except when I have a node on the internal network that needs to communicate with another node on the internal network. I obviously get an asymmetric routing issue. I can overcome this by using an iRule that does selective SNAT. My issue is that some servers on this internal network (log servers, smtp servers, authentication servers) actually need the source address preserved for obvious reasons. I have thought of a few ways to get around this but am looking for more help (other ideas, iRule help). Use iRule to SNAT traffic to the VS address. This would at least allow the log collector to know what pool the message came from. SNAT traffic to pre-determined SNAT pool. So if I have 10.10.1.0/24, I could create a one-to-one SNAT pool using 10.10.2.0/24. Users would then know to where to lok if they saw 10.10.2.100 in a log entry. Create an iRule that examines the actual source address, then increments the third octet (I'm using networks bigger than a /24) and SNATs traffic to the incremented address. Basically the same method as 2 just without multiple SNAT pools. I am definitely open to other methods as well. Thanks.268Views0likes2Comments