Forum Discussion
Stephan, had a chance to test the rule. It looks like connections on the same vlans are getting snat’d although connections between service nodes in different vlans are getting snat’d too, and we would like to avoid that since LTM is the gateway for all these vlans. Below are some logs and connection table entries.
iRule:
when CLIENT_ACCEPTED {
set default_pool [LB::server pool]
log local0. "default pool = $default_pool"
}
when LB_SELECTED {
log local0. "Client is [clientside {IP::remote_addr}]"
log local0. "Server is [LB::server addr]"
if {[class match -name -- [clientside {IP::remote_addr}] equals vlanX] equals [class match -name -- [LB::server addr] equals vlanX]} {
log local0. "client and server in SAME network, apply snat"
snatpool snat_pool
}
elseif {[class match -name -- [clientside {IP::remote_addr}] equals vlanY] equals [class match -name -- [LB::server addr] equals vlanY]} {
log local0. "client and server in SAME network, apply snat"
snatpool snat_pool
}
else {
log local0. "client and server in DIFFERENT networks, do not snat"
pool $default_pool
}
}
Data groups:
ltm data-group internal vlanX {
records {
172.16.18.0/24 { }
}
type ip
}
ltm data-group internal vlanY {
records {
172.16.19.0/24 { }
}
type ip
}
logs:
All three log entries are from a client and server in different vlans. I never see an entry for a client and a server in the same vlan, but i do see that record in the connection table getting snat'd.
Mar 3 11:04:57 slot1/isb-alb-c1 info tmm[10994]: Rule /Common/snat_same_vlan : default pool = test_pool
Mar 3 11:04:57 slot1/isb-alb-c1 info tmm[10994]: Rule /Common/snat_same_vlan : Client is 172.16.19.12
Mar 3 11:04:57 slot1/isb-alb-c1 info tmm[10994]: Rule /Common/snat_same_vlan : Server is 172.16.18.24
Mar 3 11:04:57 slot1/isb-alb-c1 info tmm[10994]: Rule /Common/snat_same_vlan : client and server in SAME network, apply snat
Mar 3 11:05:00 slot1/isb-alb-c1 info tmm3[10994]: Rule /Common/snat_same_vlan : default pool = test_pool
Mar 3 11:05:00 slot1/isb-alb-c1 info tmm3[10994]: Rule /Common/snat_same_vlan : Client is 172.16.19.12
Mar 3 11:05:00 slot1/isb-alb-c1 info tmm3[10994]: Rule /Common/snat_same_vlan : Server is 172.16.18.24
Mar 3 11:05:00 slot1/isb-alb-c1 info tmm3[10994]: Rule /Common/snat_same_vlan : client and server in SAME network, apply snat
Mar 3 11:05:04 slot1/isb-alb-c1 info tmm2[10994]: Rule /Common/snat_same_vlan : default pool = test_pool
Mar 3 11:05:04 slot1/isb-alb-c1 info tmm2[10994]: Rule /Common/snat_same_vlan : Client is 125.171.11.108
Mar 3 11:05:04 slot1/isb-alb-c1 info tmm2[10994]: Rule /Common/snat_same_vlan : Server is 172.16.18.24
Mar 3 11:05:04 slot1/isb-alb-c1 info tmm2[10994]: Rule /Common/snat_same_vlan : client and server in SAME network, apply snat
In the connection table itself, don’t see any snat going on for 125.171.11.108 client though and the logs seem to suggest otherwise !
show /sys connection cs-client-addr 125.171.11.108
Sys::Connections
125.171.11.108:41521 198.82.183.114:389 125.171.11.108:41521 172.16.18.24:10389 tcp 1375 (slot/tmm: 1/0) none
These are in the same vlan, and a snat is expected here.
show /sys connection cs-client-addr 172.16.18.12 ss-server-addr 172.16.18.24
Sys::Connections
172.16.18.12:58409 198.82.183.114:389 196.81.215.116:58409 172.16.18.24:10389 tcp 17 (slot/tmm: 1/0) none
Not in the same vlan, but a snat still happens.
show /sys connection cs-client-addr 172.16.18.12 ss-server-addr 172.16.19.24
Sys::Connections
172.16.18.12:58409 198.82.183.114:389 196.81.215.118:58409 172.16.19.24:10389 tcp 17 (slot/tmm: 1/0) none
- Mar 03, 2015Hi aj, I assume, there is a default snat configured on your system. You can check it with the following command: tmsh list ltm snat To override it, we can use a "snat none" in the iRule and I changed just it in the sample code above for both iRules. Please let me know, if this works for you. Thanks, Stephan