Forum Discussion

hung_37471's avatar
hung_37471
Icon for Nimbostratus rankNimbostratus
Sep 27, 2011

How to config PBR

hi all     can you help me , how to config PBR on the BIg Ip ?     on the web GUI , i can't see anywhere to config PBR     thanks all      
config
design
StephanManthey's avatar
StephanManthey
Icon for MVP rankMVP
Sep 01, 2014

Hi Sumanta,

given the drawing, I guess to try to accomplish the following:

1. HTTP requests from internal LAN users for servers in the public internet should be routed / balanced to the proxy server

1. Non-HTTP requests from internal LAN users and requests from the proxy server should simply be routed to the public internet through the ISP router

Did I get it right?

What is required?

a) internal router has a default route pointing to the floating self IP (the one mapped to traffic-group-1) on southern VLAN interface of your F5

b) the proxy server has a default route pointing to the floating self IP (the one mapped to traffic-group-1) on eastern VLAN interface of your F5

c) the F5 has a default route pointing to the HSRP address on southern VLAN of your ISP router

d) the ISP router needs to apply source NAT for all outgoing traffic OR the F5 applies source NAT (SNAT) for all outgoing traffic (1st choice requires multiple routes to reache the internal networks and proxy server network via next hop floating self IP and the F5´s northern VLAN; 2nd choice requires a route on your ISP router to use the floating self IP (mapped to traffic-group-1) on the northern VLAN of your F5 load balancer

To get things done step-by-step I would start with configuration of ALL outbound traffic straight forward through the ISP router.

Just use a network virtual server 0.0.0.0/0:any (all protocols) enabled on VLAN south and east in ForwardingIP mode and with SNAT automap enabled.

Will it pass through outgoing traffic?

Hint: if you want to SNAT outgoing ICMP traffic (actually all non-TCP/UDP traffic) it is necessary to run the following command:

tmsh modify ltm global-settings general snat-packet-forward enabled

tmsh save sys config

It should also be possible now to browse the internet from your proxy.

Continue, if the public internet can be reached both by clients and by your proxy.

Ready for the next step:

If the pool (containing the proxy server) is "green", it can be associated with a new virtual server.

This new virtual server is another network wildcard virtual server 0.0.0.0/0:80 (tcp) in PerformanceL4 mode with SNAT automap enabled and using the proxyserver pool. Make sure it is enabled on the southern VLAN (where the client´s requests are coming from) only! Otherwise it would catch the outbound requests of your proxy as well - a nice loop ...

Also click on address translation enabled, please.

The new virtual server will catch all client initiated http traffic and direct it to the proxy server(s).

The proxy will hopefully forward the clients request to the public internet.

Does it work?

Another virtual server with more or less the same configuration but listening on port 443 will catch outgoing https traffic if required.

But to get this working, the proxy needs to be able to intercept the SSL handshake. This is relatively easy in case the client is using the http CONNECT method.

I assume this will not be the case in your setup, as it would require the clients to be configured to use a proxy for internet access?

Perhaps some vendors are able now to craft a self-signed server certificate based on the SNI TLS attributes in real-time.

If your clients are indeed configured to use a proxy server, the setup above changes a bit.

In this case the virtual server to catch the clients requests will be of type host (/32 address) in combination with the proxy service port, PerformanceL4 mode, SNAT automap and the proxyserver pool assigned. Done.

I hope this helps a bit.

Thanks, Stephan

PS: Will go offline for today (0:45 a.m.)