applying snat based on route out of local network

Thanks for the ideas. I was thinking about seperate snat and non-snat rules, but when you're looking at it in a live environment it doesn't seem too acceptable to have a dns server one side of a router, and a different one for the other side...

I think i'm going to be looking at a matchclass for the time being, containing my server side subnets. Ultimately i'll never ever know all the addresses i could be coming from but a can check whether client and destination and both in or out of a class.

What about this:

when LB_SELECTED {
  set ::client_match [matchclass [IP::client_addr] equals $::server_networks]
  set ::server_match [matchclass [LB::server addr] equals $::server_networks]
  if { $::client_match == 0 and $::server_match > 0 }  {
    return 
  } elseif { $::client_match > 0 and $::server_match == 0 }  {
    return 
  } 
  snatpool mt_snatpool
}

Ugliness here rises from there being no XOR operator as far as i am aware and the matchclass returning the number of the entry in the list if there is one, and not just 0 and 1 (otherwise you could add the two results and see if it still equals 1).

Unless i'm missing something fundamental this sort of logic would need to apply to virtually EVERY single connection in order to avoid SNAT's when possible, but add automatically otherwise. Luckily my "internal" networks are finite and small, so is still manageable, but it's still not as nice as being able to check outright if they are on the same side of the box. As i am using an internal and external vlan joined on a vlan group that seems like a shame. I can see what vlan my client is coming from, but can't for the server part of it.

Thanks

A bit more work and it's a bit better and more efficient (I think)

  when LB_SELECTED {
     server_networks is a data group / class defined elsewhere
     start with zero score
    set snat_score 0
     increase score if client is on server network
    if {[matchclass [IP::client_addr] equals $::server_networks]} {
      incr snat_score 
    }
    
     increase score if server is on server network
    if {[matchclass [LB::server addr] equals $::server_networks]} {
      incr snat_score 
    }
   
     if score is not 1 then client and server are on
     same side of LTM, so SNAT is required
    if { $snat_score != 1 } {
      snatpool my_snatpool
    }
  }

Of course if i'm missing something really fundamental here about the need to SNAT then i'd appreciate advice!

What are you losing by using SNAT? (Also, what protocols?)

 

 

I just use SNAT automap at the VIP level when the application needs will let me get away with it.

 

 

-Brian

Well when possible we want to know where the connection came from on the server, and I am after a way to apply this generically across the board on any service. My tests have generally been on dns lookups and such, but if it's us rediredcting http traffic to a proxy using ident authentication or whatever then we would want to avoid the snat. Also there is the visibility of the traffic in general. If we have 3000 clients coming from a 10 ip snat pool and some are causing trouble, the snat is a big obstacle.

 

 

Currently we have servers on both sides of the box, so having a simple way to snat if it's needed, and not if we don't have to should hopefully provide the benefits of no snatting without having to realise whether we need to or not. if a server moves from one side to another, then the requirement to Snat will change, but using this sort of test, it would be taken in its stride.

 

 

I wouldn't expect to be using a rule like this on *everything*... i'm sure that stuff like dns would be better off just automapped and then ignored forever more, I just don't want to get caught out with many arbitrary things to check on, when an irule like this will just do what must be done, and nothing else.

 

 

I assume you think this all sounds pointless... and you may well be right, but currently i'm just about to put our beasts live in a data center and want to feel comfortable with what's going to happen.

 

 

Cheers

 

 

Chris