Forum Discussion
hung_37471
Nimbostratus
NimbostratusHow to config PBR
hi all
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
Parinya_EkparinAgain, thanks.
I'll try to set things up with virtual machines. See the real thing works help me learn faster and easier, I hope. :)
Sumanta_88744Cirrus
Hi Experts
How will I modify the below PBR (i-Rule) to include port based forwarding? For example, I need to route traffic based on port 80/443 towards specific virtual server, for rest of the traffic, it should get routed, with F5 acting as a L3 hop.
when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 10.0.0.1/24 ]}{ pool pool_hop_1 } elseif { [IP::addr [IP::client_addr] equals 192.168.1.0/24]}{ pool pool_hop_2 } else { pool pool_hop_3 }}
- ccb
Employee
Hi,
Try this (haven't tested in a lab). Obviously pool named pool_hop_1 must exist.
when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if { [TCP::local_port clientside] equals 80 } { if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will SNAT" snat automap } else { pool pool_hop_1 log local0. "PBR on port 80 successful" } } } 
nitasshow do I combine both conditions of IP address & port?
e.g.
if { [IP::addr [IP::local_addr] equals 10.0.0.1/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 ) } {[active_members pool_hop_1] < 1
active_members command is used to make sure pool_hop_1 pool is up before sending traffic to.
active_members
https://devcentral.f5.com/wiki/iRules.active_members.ashx- Sumanta_88744Thanks Nitass Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
- nitass_89166
Noctilucent
how do I combine both conditions of IP address & port?
e.g.
if { [IP::addr [IP::local_addr] equals 10.0.0.1/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 ) } {[active_members pool_hop_1] < 1
active_members command is used to make sure pool_hop_1 pool is up before sending traffic to.
active_members
https://devcentral.f5.com/wiki/iRules.active_members.ashx- Sumanta_88744Thanks Nitass Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
- nitass_89166
Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
if there are number of ip/subnet, you can use "class match" command instead of IP::addr. ip/subnet is defined in ip type data group.
class
https://devcentral.f5.com/wiki/irules.class.ashx- Sumanta_88744Hi Need help as this is really confusing. I am unable to come up with the exact i Rule to go into the F5 LTM config. What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4) and rest traffic would be forwarded to the default next hop for F5 (10.206.0.8). Will pasting the below in config work? I am not aware of TCL scripts. 10.206.0.4 and 10.206.0.8 are two diff L3 segments on F5. when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if { if { [IP::addr [IP::local_addr] equals 10.1.0.0/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 or [TCP::local_port] == 8080) } if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will SNAT" snat automap } else { pool pool_hop_1 log local0. "PBR on port 80/8080/443 successful" } } } The VS configs are given below, first one is the Application server VS and the next one is the L3 forwarding VS (F5 is in a three legged design, one hop towards internal network, one hop towards external network and the other to real server pool):- ltm virtual /Common/WHTTP_vs { description "WHTTP virtual server" destination /Common/10.206.0.4:8080 ip-protocol tcp mask 255.255.255.255 persist { /Common/MSP-Persistence { default yes } } pool /Common/WHTTP profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/radio-external } vlans-enabled ltm virtual /Common/forwardToInternet_vs { address-status no description "Outbound traffic to ISP" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/www-internal } vlans-enabled
- nitass
Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
if there are number of ip/subnet, you can use "class match" command instead of IP::addr. ip/subnet is defined in ip type data group.
class
https://devcentral.f5.com/wiki/irules.class.ashx- Sumanta_88744Hi Need help as this is really confusing. I am unable to come up with the exact i Rule to go into the F5 LTM config. What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4) and rest traffic would be forwarded to the default next hop for F5 (10.206.0.8). Will pasting the below in config work? I am not aware of TCL scripts. 10.206.0.4 and 10.206.0.8 are two diff L3 segments on F5. when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if { if { [IP::addr [IP::local_addr] equals 10.1.0.0/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 or [TCP::local_port] == 8080) } if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will SNAT" snat automap } else { pool pool_hop_1 log local0. "PBR on port 80/8080/443 successful" } } } The VS configs are given below, first one is the Application server VS and the next one is the L3 forwarding VS (F5 is in a three legged design, one hop towards internal network, one hop towards external network and the other to real server pool):- ltm virtual /Common/WHTTP_vs { description "WHTTP virtual server" destination /Common/10.206.0.4:8080 ip-protocol tcp mask 255.255.255.255 persist { /Common/MSP-Persistence { default yes } } pool /Common/WHTTP profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/radio-external } vlans-enabled ltm virtual /Common/forwardToInternet_vs { address-status no description "Outbound traffic to ISP" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/www-internal } vlans-enabled
- nitass_89166
What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4)
is it only when connecting to 10.206.0.4:8080?
if yes, can't we just enable WHTTP_vs virtual server on www-internal vlan (i.e. add www-internal vlan to the WHTTP_vs virtual server)?
- Sumanta_88744Thanks Nitaas But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers. So you say no i_Rule needed at all?
- nitass
What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4)
is it only when connecting to 10.206.0.4:8080?
if yes, can't we just enable WHTTP_vs virtual server on www-internal vlan (i.e. add www-internal vlan to the WHTTP_vs virtual server)?
- Sumanta_88744Thanks Nitaas But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers. So you say no i_Rule needed at all?
- nitass_89166
But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers.
what is 10.99.0.0/24? was it typo? if you mean 10.1.0.0/24 and 10.2.0.0/24, other traffic such as port 22 will match forwardToInternet_vs virtual server and be sent to internet gateway. it won't match WHTTP_vs virtual server because destination is not 10.206.0.4:8080.
So you say no i_Rule needed at all?
yes
- Sumanta_88744Hi Nitaas What I mean is traffic from a sample internal subnet 10.99.0.0/24 will go directly to Internet gateway, without being forwarded to VS 10.206.0.4:8080 at all. That traffic might be FTP, SSH, etc. Only port 80/443/8080 traffic from 10.1.0.0/24 and 10.2.0.0/24 has to go to the VS 10.206.0.4:8080 for further treatment by my App servers. But F5 is working as a L3 hop between internal LAN and ISP. Usually I could have done this with PBR in normal switch/router, but don't know how to do it in F5. That's why I was searching for exact the i-Rule.
