Forum Discussion

shakalakka's avatar
shakalakka
Icon for Altostratus rankAltostratus
Nov 16, 2022

Explicit proxy and snat-pools

Hi,

We are setting up an explicit proxy for some testing. What we have so far is pretty much the same as this article:
Explicit proxy example 

Under the "Create a wildcard virtual server"-section you create a listener for the tunnel-interface. In the example they used automap, but we changed this to a SNAT-pool to better suit or firewall-rulesets. However, we would like to have one SNAT-pool/listener for traffic that is not in a pre-defined host-name-list, and one SNAT-pool for traffic that is in a "whitelisted" host-name-list. I dont understand quite what this wildcard-listener does, but it clearly is selected after you hit the proxy-ip-vs. So if we have 1.1.1.1:8080 as our proxy-vs, the next thing that happens is that F5 selects the 0.0.0.0:0 wildcard vs that is configured through the http-profile. The documentation doesnt really explain why this wildcard-listener is needed, and is it possible to select a different wildcard-listener with a different SNAT-pool in an iRule?

As far as i can see, i could create a new wildard-vs with another SNAT-pool and enable it on the tunnel-interface, but i have no clue how to select it.

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus

    create 0.0.0.0:0 Fordarding IP VS(0.0.0.0:443 Standard tcp VS)  is caused by the http-explicit profile's attribute Explicit Proxy>>Default Connect Handling Deny. If its value set to Allow, all 0 VS may not be required
    Select the snatpool based on the white list domain name. I  use the switch to match. If you want to expand the scope, you can use the class match to match. 

    Tips:explict VS and 0.0.0.0:0 VS do not need to enable Automap, and 0.0.0.0 VS do not need to use http profile,only use tcp profile can also work

    iRules name is http_explict_snatpool_irules

    when HTTP_PROXY_REQUEST {
        log local0. "[HTTP::method] [HTTP::uri]"
        switch [string tolower [URI::host [HTTP::uri]]] {
            "www.bestpay.com" {
                snatpool snatpool_explict_white
            }
            "default" {
                snatpool snatpool_explict_default
            }
        }
    }

     explict VS config:

    list ltm virtual https_vs_explict
    ltm virtual https_vs_explict {
    creation-time 2022-11-02:13:12:21
    destination 10.199.3.10:3128
    ip-protocol tcp
    last-modified-time 2022-11-16:21:11:57
    mask 255.255.255.255
    profiles {
    new_http_explict_proxy { }
    tcp { }
    }
    rules {
    http_explict_snatpool_irules
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vlans {
    vlan-HA
    }
    vlans-enabled
    vs-index 49
    }

     

     

    0.0.0.0:443 Standard tcp VS config:

    list ltm virtual VS_explict_2022
    ltm virtual VS_explict_2022 {
    creation-time 2022-11-03:10:09:21
    destination 0.0.0.0:https
    ip-protocol tcp
    last-modified-time 2022-11-16:21:27:50
    mask any
    profiles {
    tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
    my_httptunnel
    }
    vlans-enabled
    vs-index 39
    }

     

    ltm snatpool snatpool_explict_default {
    members {
    10.20.20.177
    }
    }
    ltm snatpool snatpool_explict_white {
    members {
    10.20.20.170
    }
    }

    • shakalakka's avatar
      shakalakka
      Icon for Altostratus rankAltostratus

      Thanks, ill try this now!
      What confuses me a bit is i dont really know what the wildcard actually does. If i read the doc for default-connection-handling, it says that a VS must be created for the outbound connection, if not the connection will be dropped (if connection-handling is set to deny). Im just struggeling a bit to see the difference for the actual connection setup between "allow" and "deny". If the BigIP in "allow" mode just sets up the connection to the server, what difference does the wildcard VS make on the return traffic?

      • xuwen's avatar
        xuwen
        Icon for Cumulonimbus rankCumulonimbus

        It seems that the forum has an article to test whether http and https traffic can be proxyed in Deny and Allow modes(you call search this article). if Allow is set, equal "firwall acl permit any", permit dns resolvers resolving the destination IP traffic of the destination domain name.
        Note that the zone of DNS Resolvers should be set to ".", otherwise, if your proxy domain name is not in the zone, BIGIP will report a 503 status code