Forum Discussion
Feb 28, 2015
Hi aj,
Brian is right. And I would swear to have seen a solution for this.
Anyway, here are two alternatives.
In case your whole networks is using equal length subnets the following one should work i.e. for all networks are 26 bit (255.255.255.192):
when RULE_INIT {
set static::network_mask 255.255.255.192
}
when LB_SELECTED {
log local0. "client network: [IP::addr [clientside {IP::remote_addr}] mask $static::network_mask] ([clientside {IP::remote_addr}])"
log local0. "client network: [IP::addr [LB::server addr] mask $static::network_mask] ([LB::server addr])"
if { [IP::addr [clientside {IP::remote_addr}] mask $static::network_mask] equals [IP::addr [LB::server addr] mask $static::network_mask] } {
log local0. "client and server in same network: apply snat"
snat automap
} else {
log local0. "client and server in different networks do not snat"
snat none
}
}
In case your network ranges are varying I would use a data-group based approach. It´s of type IP and may contain different lengths subnets (added an "empty" value to avoid related issues but it is not required):
ltm data-group internal datagroup_local_networks {
records {
10.131.131.0/26 {
data empty
}
10.131.131.64/26 {
data empty
}
10.131.131.128/26 {
data empty
}
10.131.131.192/26 {
data empty
}
}
type ip
}
The following iRule is using the data-group to compare the network range of client and pool member.
when LB_SELECTED {
log local0. "[class match -name -- [clientside {IP::remote_addr}] equals datagroup_local_networks] for [clientside {IP::remote_addr}]"
log local0. "[class match -name -- [LB::server addr] equals datagroup_local_networks] for [LB::server addr]"
if { [class match -name -- [clientside {IP::remote_addr}] equals datagroup_local_networks] equals [class match -name -- [LB::server addr] equals datagroup_local_networks] } {
log local0. "client and server in same network, apply snat"
snat automap
} else {
log local0. "client and server in different networks, do not snat"
snat none
}
}
Things are bit more difficult with routing domains. Not covered by this solution.
Thanks, Stephan
PS: Modified (2015-03-03) to override default SNAT configurations by using "snat none" for specific condition.