SNAT based on incoming IP

Question

I have a need to snat based on the incoming IP. It should be relatively straight forward but I can't seem to make my mind wrap around this.. or what's the best way to do it. 
&nbsp;  
&nbsp; I have a private subnet that is divided into 3 ranges (prod/dev/test) and I need to SNAT based on which IP is connecting... For example if server in the DEV range connects then it should get SNAT A, test should get SNAT B and production should get SNAT C. 
&nbsp;  
&nbsp; So I need the iRule to evaluate something similiar 
&nbsp;  
&nbsp; 10.9.9.0/26  gets SNAT A 
&nbsp; 10.9.9.65/26 gets SNAT B and 
&nbsp; 10.9.9.128/26 gets SNAT C 
&nbsp;  
&nbsp; Also, do you know what the load would be of implementing such a rule on the CPU? I would guess that there would be less than 50 connections per minute. 
&nbsp;  
&nbsp; Any help would be greatly appreciated.

l4l7_53191 · Answer

Kevin: you can definitely do this. Here's a good starting point that may work with minimal modification on your part: 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html 
&nbsp;  
&nbsp; Give this a look and post back if you've got any questions. Regarding the load, this is a very lean-and-mean operation. I wouldn't be concerned here at all. 
&nbsp;  
&nbsp; -Matt

kevin_nail · Answer

This looks good but I was really hoping for a solution that would examine all 3 choices at once. This would have to be 3 separate rules if I read this right. Would it be possible to examine the incoming IP and make one of 3 choices od SNAT IPs? 
&nbsp;  &nbsp;

l4l7_53191 · Answer

I've not tested this (don't have the time at the moment), but maybe something like this? Obviously change the IPs to suit your environment. 
  
  when CLIENT_ACCEPTED { 
 switch [IP::client_addr] { 
  
 10.9.9.0/26 { snat 10.9.9.16 } 
 10.9.9.65/26 {snat 10.9.9.99} 
 10.9.9.128/26 {snat 10.9.9.24} 
 default { snat 10.10.10.99 } 
 } 
 } 
  
 -Matt

hooleylist · Answer

I think you're limited to string comparisons with switch. 
&nbsp;  
&nbsp; If you're on 10.1, you could use a new feature for address type datagroups described in this post (Click here) and reference the datagroup with the class command (Click here).   
&nbsp;  
&nbsp; Else, for older versions, I think you're stuck doing three checks in an if/elseif/elseif block.  Though, this could be done in a single iRule. 
&nbsp;  
&nbsp; Aaron

l4l7_53191 · Answer

Gah - what was I thinking? Sorry about that, try this one instead. Obviously change your snat IPs to something sensible, and be sure and change the last "else" to something if you don't want to simply forward the traffic on. 
  
  when CLIENT_ACCEPTED { 
 if { [IP::addr [IP::client_addr] equals 10.9.9.0/26] }{ 
 snat 1.1.1.1 
 } 
 elseif { [IP::addr [IP::client_addr] equals 10.9.9.65/26] }{ 
 snat 2.2.2.2 
 } 
 elseif { [IP::addr [IP::client_addr] equals 10.9.9.128/26] }{ 
 snat 3.3.3.3 
 } 
 else {  
 forward 
 } 
 } 
  
 -Matt

Forum Discussion

SNAT based on incoming IP

9 Replies

Recent Discussions

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

SNAT IP address logging

Cookie-based DDoS protection

iRule based RADIUS Client Stack

SNAT pool persistence

iRule based RADIUS Health Monitor Builder