Forum Discussion
You will most likely need to use an iRule. Are you looking to map a /24 to a /24 or something similar? If so, you could write an iRule that can SNAT 10.0.0.x to 192.168.0.x, for example, by just translating the last digit of the address.
- Brian_Gibson_30Feb 17, 2015NimbostratusNo. Basically we are having a problem in which NAT is confusing our server and dropping connections. Basically it is having trouble with multiple users connecting with the same source IP. So we want to create a pool in which each user will be assigned a unique source IP address so the NAT isn't overloaded.
- Brad_Parker_139Feb 17, 2015NacreousWell that seems like a bad problem to have for the server to have. You will run out of IPs quickly, if the application is going to require a unique IP per session. What kind of application/web server are you running? Is it having NAT problems or port exhaustion problems?
- Brian_Gibson_30Feb 17, 2015NimbostratusIt isn't that bad a problem but it is a problem. This is an internal service so the number of users is limited to a few hundred. We will just glom a 10./8 address block and use that. What is being alleged is that the LB NAT of the connections is making the server drop connections. If you want a more detailed explanation it is based on this writeup... http://www.nynaeve.net/?p=93 We aren't 100% certain that this is the problem but we did see several writeups similar to this one and they all describe the problem we see.
- Brad_Parker_139Feb 17, 2015NacreousNot sure if this will work, but trying to get creative as picking an IP from a list based on availability may be cumbersome in the iRule. What you could try is to set the VIP to the actual IP of your SMP server and turn off "Address Translation" on that VIP. Create a pool of nodes using all the IPs you want to use for your SNATs. Set the connection limit for each pool member to 1 and use this in an iRule; when CLIENT_ACCEPTED { snat [IP::server_addr] }. This could leverage LTMs built in connection table to track your SNATs is a creative way. I haven't tried this, but I am doing something similar in a dev environment.
- Brian_Gibson_30Feb 18, 2015NimbostratusThat is an interesting way of doing it. I would need to add each node one at a time that way, wouldn't I? How would it know to use the pool of IPs?
- Brad_Parker_139Feb 18, 2015NacreousI would try it out with just a couple IPs first, but essentially you could create all the nodes you need via tmsh scripting and add them all to the pool assigned to the VIP.
- dragonflymrMay 10, 2017Cirrostratus
Hi Brad,
I am really puzzled how your solution could work. If I understand your concept correctly setup wpuld be like that:
Server IP: 10.10.10.100
Self IP to access server: 10.10.10.1/24
VS IP: 10.10.10.100, address translation disabled
So far so good, but what about pool members? If I will set them with IPs from Self IP subnet (10.10.10.200-254) then how traffic will be send to them? Nothing will respond to ARP request for those IPs as there are no host with those IPs assigned.
The only way I can make it work is using some fake IPs from completely separate subnet (10.10.11.0/24) then setting static route on BIG-IP pointing to the server IP (10.10.11.0 MASK 255.255.255.0 GW 10.10.10.100)
But then server has to have default gateway set to BIG-IP Self IP. If this is the case then SNAT on VS can be turned off and real client IPs can be passed to server.
Am I missing something important here?
Piotr