hung_37471
Sep 27, 2011Nimbostratus
How to config PBR
hi all
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
is the problem on forward-to-Internet_vs virtual server?
if yes, can you change ip-protocol to any (not tcp) and see if it helps?
ltm virtual /Common/forward-to-Internet_vs {
description "Outbound traffic to Internet"
destination /Common/0.0.0.0:0
ip-forward
ip-protocol tcp
mask any
profiles {
/Common/IP-Gateway { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
/Common/vlan-1500
}
vlans-enabled
}
is the problem on forward-to-Internet_vs virtual server?
if yes, can you change ip-protocol to any (not tcp) and see if it helps?
ltm virtual /Common/forward-to-Internet_vs {
description "Outbound traffic to Internet"
destination /Common/0.0.0.0:0
ip-forward
ip-protocol tcp
mask any
profiles {
/Common/IP-Gateway { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
/Common/vlan-1500
}
vlans-enabled
}
Hi, to capture all interfaces (and to exclude ssh) you may want to run:
tcpdump -ei 0.0 not port 22
The trace will show incoming traffic and outgoing (in case it´s processed).
Can you ping destinations in the internet from your BIG-IP (means your default gateway is configured properly and the ISP router does not block it and responses are returned as well)?
Thanks, Stephan
In case you want to use the proxy to forward the client requests to the public internet, it will be necessary to allow traffic from the proxy IP address on the firewall ACL. In case you use SNAT on your forwarding virtual servers, the SNAT address used by the load balancer needs to be permitted on the firewall ACL (as it is replacing the original client IP address or the IP address of the proxy - both are the source IPs).
In case no SNAT is used on the virtual servers, it is necessary to create routes on the ISP router to make sure responses from the internet will be routed back properly to the proxy or to the client by using the floating self IP on northern interface of your BIG-IP as next hop. Is the tcpdump showing something, if you try to get traffic on port 80 through the BIG-IP?Would you provide us the output of the following, please:
tmsh list net vlan
tmsh list net self
tmsh list net route
tmsh list ltm pool
tmsh list ltm virtual
Hi Stephan How will I add another L3 forwarding virtual server to use multiple source subnets? I already have the below to direct to default gateway.
ltm virtual /Common/forward-to-Internet_vs {
description "Outbound traffic to Internet"
destination /Common/0.0.0.0:0
ip-forward
mask any
profiles {
/Common/IP-Gateway { }
}
source 0.0.0.0/0 <<<<>>>>>
translate-address disabled
translate-port disabled
vlans {
/Common/vlan-external
/Common/vlan-internal
}
vlans-enabled
}
How will I add another L3 forwarding virtual server to use multiple source subnets?
you have to duplicate virtual server and configure one source subnet per virtual server.
anyway, you know 0.0.0.0/0 means all subnets, don't you?
How will I add another L3 forwarding virtual server to use multiple source subnets?
you have to duplicate virtual server and configure one source subnet per virtual server.
anyway, you know 0.0.0.0/0 means all subnets, don't you?
I was expecting to include multiple subnets in the source section, i have around 50. Not sure if I can use i-Rule here. Would that impact e-PVA forwarding?
why don't use one virtual server with source 0.0.0.0/0? if you want to forward traffic from some source only, you can drop/reject traffic from other source by irule.
e.g.
when CLIENT_ACCEPTED {
if { ![class match -- [IP::client_addr] equals trusted_source] } {
reject
}
}
I was expecting to include multiple subnets in the source section, i have around 50. Not sure if I can use i-Rule here. Would that impact e-PVA forwarding?
why don't use one virtual server with source 0.0.0.0/0? if you want to forward traffic from some source only, you can drop/reject traffic from other source by irule.
e.g.
when CLIENT_ACCEPTED {
if { ![class match -- [IP::client_addr] equals trusted_source] } {
reject
}
}
How about specifying 2 different wildcard virtual servers:
1. wildcard network virtual on address 0.0.0.0/0 with tcp/80 and source of 0.0.0.0/0 to capture the http traffic to be forwarded to the proxy server
2. wildcard network virtual on address 0.0.0.0/0 with all_protocols/0 and source of 0.0.0.0/0 to capture everything which is not matching tcp/80 and to forward according to the routing table
If multiple servers are configured, the "longest match" by following a precedence described in AskF5 SOL14800.
As I understood from a previous message, your ISP router handles the ACLs, right? But you can still apply plain packet filters or an iRule based ACL or AFM directly on your BIG-IP device.
Btw, a virtual server needs to be enabled only on the VLAN where the traffic is initiated on. I.e. client comes from VLAN "internal" and it´s request should be processed to whereever. So the associated virtual server only needs to be enabled on VLAN "internal" (it tracks the connection internally [including egress VLAN] and established a listener to forward the expected responses back to the client).