Forum Discussion
Hamish
Cirrocumulus
CirrocumulusForming a 'tunnel' between F5 pairs...
I have an idea... Well... It's a possible solution for an interesting challenge I have.
Is it possible for an iRule to ALTER an IP field (e.g. srcIP/port) in a packet before transmitting it?
What I want to accomplish is to have a front-end F5 and a backend F5. Clients talk to the front-end F5 and the front end then forwards the traffic off to a VS on a backend F5. Because the backend F5 is probably not in the same VLAN (Or data centre, possibly not even the same country) I want to effectively tunnel the traffic from the FE to the BE LTM...
iRules and LTM lack a tunnel facility for this, so I thought of creating one using iRules... And a bit of jiggery pokery to insert the info somewhere needed to re-create the real IP/port @ the BE... But the Wiki implies that the IP:client_ip etc functions are read-only. And not read/write...
Anyone done anything similar?
TIA
Hamish.
HamishHmm... Use a local ssh tunnel perhaps?
Nat_ThirasuttakornEmployee
For TCP, you can do this with something like this....
On client side vip
- snat to LTM address
- point to pool which contains remote side LTM vip as a member (or use node command)
- iRule to insert src/dst IP/port at beginning of TCP payload
- serverside ssl
On server side vip
- clientside ssl
- irule to extract original src/dst IP/port and remove it from beginning of TCP payload
- use src IP/port information from previous step with snat command, use dst IP/port with node command
For UDP, you probably can do as well but without ssl. (other encryption may work)