Forum Discussion

anuj_2931's avatar
anuj_2931
Icon for Nimbostratus rankNimbostratus
Aug 13, 2012

SNAT irule question

Hi Guys,

On a Virtual server, which has apache servers as pool memebers, we have snat enabled on it. The servers are in 192.168.14.0/24 subnet. The other subnet in our network is192.168.10.0. The f5 ltm has floating IP's in for both subnets.

Now I want to remove SNAT because, we want to get client IP's which come over the internet to access our webservers.

Currently on our apache server, the default gateway is set as 192.168.14.1 (edge firewall).

This is my plan to make this happen. Please let me know if this looks good.

1. Remove SNAT on virtual server.

2. Add irule which does "snat automap" if the client is local 192.168.10.0/24 and 14.0/24. Otherwise just forward.

when CLIENT_ACCEPTED {

    check if client_addr = any in the class
   if { [matchclass [IP::client_addr] equals $::Hosts]} {

     
         snat automap

      } else {
          don't do any source address translation
         forward
      }
}
3. Add default gateway as 14.236 (floating ip of LTM). Add static routes for 10.0/24 and 14.0/24
pointing to fiewall (14.1).
Do you think this will work.

3 Replies

  • Hi Anuj,

    That sounds about right. If you're on 9.4.4 or higher, you should remove the $:: prefix on the Hosts data group name. Also, you don't need to use the forward command to avoid SNAT--just leave the else clause off and any client IP which isn't in the Hosts data group will not be SNAT'd:

    Hi Anuj,

    If the clients are on the same subnet as the servers you must SNAT them to ensure the servers reply back to the client through LTM. If the servers' default gateway is set to the LTM self IP on their subnet, all clients not local to the server subnet would be fine without SNAT. To do this a bit simpler, you could use this iRule:

    http://devcentral.f5.com/wiki/iRules.SelectiveSNAT.ashx

    If you do need to specify other subnets you want to SNAT, you can use this simplified iRule. Note that for 9.4.4 and higher, you should remove the $:: prefix from the data group name in the iRule. And you don't need to use the forward command to avoid SNAT--just leave out the else clause.

    
    when CLIENT_ACCEPTED {
    
        Check if client_addr is in the Hosts data group
       if { [matchclass [IP::client_addr] equals Hosts] } {
    
           Apply SNAT just for this connection
          snat automap
       }
    }
    

    Aaron
  • Here's the selective SNAT example I was referring to. You can use this if you want to only SNAT when the client and server are on the same subnet.

    
    when LB_SELECTED {  
       if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {  
          snat automap 
       }
    }
    

    Aaron
  • Thanks Aaron for the response.

     

     

    The reason I want to snat other subnets in out network is because, I want ssh, syslog, ntp etc.. to work between the other subnet and apache server behind ltm. LTM will not be used for those protocols. Hence, I mentioned that I will add a static route for 192.168.10.0/24 pointing to firewall on the apache servers, and hence I will need snat automap for the http traffic to go back to the ltm if the source is 192.168.10.x.

     

     

    Anuj