Forum Discussion
Tiger86_92132
Nimbostratus
NimbostratusA simple load balancing network
Hi,
I'm using BIG-IP 1600 with LC module. I need to config a simple load balancing network (just need outbound load balance), here's my network:
- I have 2 VLAN external for 2 internet lines, with 2 modems connect PPPOE to the Internet (use NAT on modems) (192.168.101.0/24 and 192.168.102.0/24)
- and 1 VLAN internal for clients (10.8.23.0/24)
I followed the configuration guide:
- create VLANs
- config self IPs for all VLAN
- define 2 Links for internet lines
- create Pool named default_gateway_pool that include 2 LAN IPs of the modems
- define a wildcard virtual server with default_gateway_pool
- create default route: using Pool default_gateway_pool
From F5, I can ping clients, LAN IPs of routers and ping to the Internet but from client, I can ping only the self IP of internal VLAN. I use self IP of internal VLAN for gateway for clients, is it rights ?
Could anyone tell me what step I missed ?
Many thanks
30 Replies
Tiger86_92132My BIG-IP 1600 with LTM and LC module, I tested blocking web pages based on IP of these pages, it's ok. Can it block web pages base on web address ?
Thank you
hoolioCirrostratus
If you have LTM licensed you'll be able to inspect and modify HTTP content. If it's a network (0.0.0.0) virtual server with a TCP and HTTP profile, you can check the IP::local_addr value or check the [HTTP::host] value to see what the client is requesting. You can send an HTTP response using HTTP::respond.
http://devcentral.f5.com/wiki/default.aspx/iRules/ip__local_addr
http://devcentral.f5.com/wiki/default.aspx/iRules/http__host
http://devcentral.f5.com/wiki/default.aspx/iRules/http__respond
Aaron- Tiger86_92132Thank you Aaron. I'm sorry but I'm not familiar with writing code. Would you please provide me an example for blocking web pages: facebook, twitter, megaupload, ...
My LANs are using subnet 10.8.x.x/16.
Thank you - JRahm
Admin
when HTTP_REQUEST { if { [IP::addr [IP::client_addr] equals 10.8.0.0/16] } { switch -glob [string tolower [HTTP::host]] { "*facebook*" - "*twitter*" - "*megaupload*" { discard } default { forward } } }
untested, but gives you an idea of approach. - hoolioYou'd probably also want to do a DNS lookup for host headers with an IP address to block access by IP as well. For 10.x, it would be best to upgrade to the latest 10.2.1 hotfix and use RESOLV::lookup to do this:
http://devcentral.f5.com/wiki/default.aspx/iRules/resolv__lookup
Aaron - Tiger86_92132Thank you very much, Jason and Aaron. yes, I'm affraid that user can know IP of this web pages and access these pages through IP addresses. Please provide an example in using RESOLV::lookup to block access by IP
- JRahmthere is an example in the link hoolio posted above.
- hoolioHere's an example which uses a subtable to cache the DNS lookups:
when RULE_INIT { A unique name to store the DNS responses for each client IP set static::dns_table "dns_table" Cache timeout in seconds (5min for example) set static::cache_timeout 300 DNS virtual server name or DNS server IP address. A virtual server pointing to a pool of DNS servers is much preferred for reliability! set static::dns_server 4.2.2.1 } when CLIENT_ACCEPTED { Trigger a name lookup for new connections set do_lookup 1 log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]" } when HTTP_REQUEST { Check if we haven't done a lookup already on this connection if { $do_lookup }{ log local0. "[IP::client_addr]:[TCP::client_port]: Checking [IP::client_addr] in cache" Check if a lookup already exists in the cache for this client IP set ptr [table lookup -subtable $static::dns_table [IP::client_addr]] if {$ptr eq ""}{ log local0. "[IP::client_addr]:[TCP::client_port]: No cached value, doing a DNS lookup" Do a reverse lookup on the client IP address set ptr [RESOLV::lookup -ptr @$static::dns_server [IP::client_addr]] log local0. "[IP::client_addr]:[TCP::client_port]: Lookup result: $ptr" } else { log local0. "[IP::client_addr]:[TCP::client_port]: Cached result: $ptr" } Check if ptr record ends with .mil if { [string tolower $ptr] ends_with ".mil" } { Allow .mil addresses and track that we've done a lookup for this connection log local0. "[IP::client_addr]:[TCP::client_port]: Valid ptr, allowing request" table add -subtable $static::dns_table [IP::client_addr] $ptr $static::cache_timeout indef set do_lookup 0 } else { PTR record does not end with ".mil", reject the connection log local0. "[IP::client_addr]:[TCP::client_port]: Invalid PTR, blocking HTTP request." HTTP::respond 403 content "Invalid PTR!\r\n" TCP::close } } }
Aaron - Tiger86_92132Thanks a lot. In my case, I'll have to change this "if { [string tolower $ptr] ends_with ".mil" }" to "if { ([string tolower $ptr] contains "facebook") | ([string tolower $ptr] contains "twitter") | ([string tolower $ptr] contains "megaupload")} , is it right ?
I want to use a pool of DNS servers (208.67.222.222 and 8.8.8.8), what lines I have to change ?
And where do I have to add my LAN 10.8.0.0/16 ?
Help me please - hoolioAre users configuring an LTM virtual server IP address as their browser's web proxy? Or are the HTTP requests being sent transparently through a network virtual server?
And how do you want the iRule behavior to change if the client is on your LAN or not? If you only want clients from the LAN to be able to use this virtual server, you can enable it only on that VLAN.
Aaron
