Forum Discussion

somefreak_18447's avatar
somefreak_18447
Icon for Nimbostratus rankNimbostratus
Jan 27, 2015

snat irule not working as expected

Hi All,

 

I have an existing, working irule that will snat based on the IP address (ie. if its off the corporate network 10.0.0.0/16 it will snat):

 

when CLIENT_ACCEPTED { if {[class match [IP::remote_addr] equals app_servers]} { if {not [IP::addr [IP::local_addr] equals 10.0.0.0/16]} { snat 10.0.255.1 } } }

 

However i need to exclude another range, so i changed the rule to this: when CLIENT_ACCEPTED { if {[class match [IP::remote_addr] equals app_servers]} { if {not [IP::addr [IP::local_addr] equals 10.0.0.0/16] or not [IP::addr [IP::local_addr] equals 10.128.0.0/24]} { snat 10.0.255.1 } } }

 

The syntax seems to be fine, but adding the second address stops it from matching the rule altogether (ie. everything gets snat). Can anyone notice where i am going wrong?

 

Any help appreciated, thanks, Tim

 

1 Reply

  • Give this a shot.

    when CLIENT_ACCEPTED { 
      if {[class match [IP::remote_addr] equals app_servers]}{ 
        if {(not [IP::addr [IP::local_addr] equals 10.0.0.0/16]) or (not [IP::addr [IP::local_addr] equals 10.128.0.0/24])}{ 
          snat 10.0.255.1 } 
        } 
      }