irule segment network no match

Hi PATLOC,

please try the following:

if { [IP::addr [IP::client_addr] equals "20.33.2.2/32"] } {
    snatpool POOL-SNAT-CLD-REN 
    pool gateway-EQX-REN
}

if { [IP::addr [IP::client_addr] equals "20.3.2.3/32"] } {
    snatpool POOL-SNAT-CLD-RET
    pool gateway-EQX-RET
}

Thanks, Stephan

Btw, there is an even better approach by using the "switch" command:

switch [IP::client_addr] {
    "20.33.2.2" {
        snatpool POOL-SNAT-CLD-REN 
        pool gateway-EQX-REN
    }
    "20.3.2.3" {
        snatpool POOL-SNAT-CLD-RET
        pool gateway-EQX-RET
    }
}

I've a answer follow 01070151:3: Rule [Specific_Irule_Ret] error: line 1: [command is not valid in the current scope] [switch [IP::client_addr] { "20.33.2.2" { snatpool POOL-SNAT-CLD-RET pool gateway-EQX-RET } "20.33.2.3" { snatpool POOL-SNAT-CLD-RET pool gateway-EQX-RET } }] line 1: [command is not valid in the current scope] [IP::client_addr]

 

Big IP F5 Version 10.2.2 (build 852.0)

 

Hi PATLOC,

true, I provided just the command and not the full iRule.

Here we go:

when CLIENT_ACCEPTED {
log local0. "ip-client address [IP::client_addr]"
switch [IP::client_addr] {
    "20.33.2.2" {
        snatpool POOL-SNAT-CLD-REN 
        pool gateway-EQX-REN
    }
    "20.3.2.3" {
        snatpool POOL-SNAT-CLD-RET
        pool gateway-EQX-RET
    }
}
}

Thanks, Stephan

Hello Stephan tail -f /var/log/ltm Matching only two irule follow Rule Snat_Pool_Specific_Servers : Snat Pool: POOL-SNAT-CLD-SMTP-WEB Rule Select_Specific_ISP : Pool: New-default-Gateway

Hi PATLOC,

 

sorry for responding late (two long days on customer site).

 

Source NAT (aka F5 "Secure NAT") has a couple of aspects and on F5 TMOS you will see multipe of ways to get it applied.

 

Following methods can be used:

 

- SNAT Automap (floating self IP of outgoing [aka serverside VLAN] will be used to replace the client IP address)

 

- SNATpool (address from a pool of specified addresses will be picked to replace the client IP address)

 

- Default SNAT (global configuration object specifying the inbound VLAN or client IP address/range an the associated SNAT translation address or SNATpool)

 

- Simple specific SNAT by using the "snat " command in an iRule ("snat_address" will be used to replace the client IP address)

 

- Simple SNAT based on SNATpool by using the "snatpool command in an iRule (address contained in "snatpool_name" will be used to replace the client IP address)

 

- Selective SNAT in iRule will match for conditions, i.e. original client IP address, destination IP address (in case of forwarding virtual servers or virtual servers with destination NAT disabled and associated with a next hop pool [aka "gateway_pool"])

 

Please keep in mind, that SNAT can be by default applied to TCP and UDP traffic only. A global setting has to be done, if you want to source NAT i.e. ICMP or other traffic with non-TCP/UDP transport protocols.

 

(Change it in WebUI: System >> Configuration : Local Traffic : General [SNAT Packet Forwarding: All traffic].) Source NAT can be applied by specifying a Default SNAT (I avoid this approach wherever possible), configuring SNAT AutoMap or a SNATpool in context of a virtual server or by assigning an iRule with SNAT function to a virtual server.

 

So source NAT will either require a Default SNAT or a matching virtual server with related configuration parameters or iRule.

 

If I understand your question right, you want to apply a selective decision.

 

Would you please provide the following information allowing us to support you:

 

- Original client IP address/es or ranges in case you want a specific handling,

 

- Address/es to be used to replace the client IP address in forwarded IP datagram,

 

- Destination address/es where traffic has to be forwarded to in case you want a specific handling,

 

- Transport protocol (i.e. TCP/UDP or just ICMP),

 

- Verbal description of the decision criteria (i.e. picking a SNAT depending on the original client IP address/range or picking a SNAT depending on the target or next hop).

 

Thanks & enjoy weekend, Stephan

 

hello

 

I inserted a picture that explains the architecture

 

 

Thank you for your help

 

Hi PATLOC,

to catch outgoing traffic, you will need a virtual server (network 0.0.0.0/0, performanceL4, all-protocols, iRule assigned).

ltm virtual virtual_outbound_wildcard {
    destination any:any
    mask any
    profiles {
        fastL4 { }
    }
    rules {
        rule_selective_snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        VLAN-Front-End
    }
    vlans-enabled
}

The iRule looks as follows:

when CLIENT_ACCEPTED {
    switch [IP::client_addr] {
        "20.33.2.2" -
        "20.33.2.3" {
            snatpool snatpool_CLD-REN
            pool pool_gateway-EQX-RET
        }
        default {
            snatpool snatpool_CLD-SMTP-WEB
            pool pool_gateway-EQX
        }
    }
}

The iRule is referencing the individual next hop pools (each containing your specific default gateways) and SNATpools as follows:

ltm snatpool snatpool_CLD-REN {
    members {
        185.4.25.203
    }
}
ltm snatpool snatpool_CLD-SMTP-WEB {
    members {
        217.69.24.64
    }
}

To activate SNAT for all protocols (including ICMP; by default TCP/UDP only will be SNATed) you run the following command, please:

tmsh modify sys db snat.anyipprotocol value enable

Thanks, Stephan

Stephan

 

Sorry this issue is not solved

 

The big IP Link not translated but match Modele 1600 version 10.2.2-Hotfix HF1

 

Thanks, Patloc