OneConnect source-mask explainer
Paste a one-connect profile for the full option audit with the man page's own semantics and defaults, or simulate a mask against real client IPs and watch the reuse groups form. The marquee demonstration: SNAT translates first, so a single SNAT address collapses every client into one reuse group no matter how narrow the mask.
NetworkingRuns locally in your browser. Nothing you paste leaves this page.
API endpointGEThttps://ronutz.com/api/v1/f5-oneconnect-source-maskDocumented, not served. Opens the specification.
References
- F5 TMSH Reference v17: ltm profile one-connect (grammar, every default, the 0.0.0.0 and host-mask semantics, all three limit-type behaviors including strict's own not-recommended warning, share-pools)
- F5 K7208: Overview of the OneConnect profile (SNAT translation happens first; the source mask applies to the translated address)
- F5 K5911 (states the same SNAT-before-mask ordering; the two articles corroborate each other)
- F5 DevCentral: How OneConnect Profile's max-size works (the reuse pool divides per TMM; Current Idle counts every idle server-side connection, eligible or not)