Forum Discussion
NimbostratusHow to config PBR
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
78 Replies
nitass_89166Noctilucent
is the problem on forward-to-Internet_vs virtual server?
if yes, can you change ip-protocol to any (not tcp) and see if it helps?
ltm virtual /Common/forward-to-Internet_vs { description "Outbound traffic to Internet" destination /Common/0.0.0.0:0 ip-forward ip-protocol tcp mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/vlan-1500 } vlans-enabled }- Sumanta_88744
Cirrus
Hi Nitaas I already got it changed, before testing. ltm virtual /Common/forward-to-Internet_vs { description "Outbound traffic to Internet" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/external /Common/internal } vlans-enabled }
- nitass
Employee
is the problem on forward-to-Internet_vs virtual server?
if yes, can you change ip-protocol to any (not tcp) and see if it helps?
ltm virtual /Common/forward-to-Internet_vs { description "Outbound traffic to Internet" destination /Common/0.0.0.0:0 ip-forward ip-protocol tcp mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/vlan-1500 } vlans-enabled }- Sumanta_88744Hi Nitaas I already got it changed, before testing. ltm virtual /Common/forward-to-Internet_vs { description "Outbound traffic to Internet" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/external /Common/internal } vlans-enabled }
StephanMantheyNacreous
Hi, to capture all interfaces (and to exclude ssh) you may want to run:
tcpdump -ei 0.0 not port 22
The trace will show incoming traffic and outgoing (in case it´s processed).
Can you ping destinations in the internet from your BIG-IP (means your default gateway is configured properly and the ISP router does not block it and responses are returned as well)?
Thanks, Stephan- StephanManthey
In case you want to use the proxy to forward the client requests to the public internet, it will be necessary to allow traffic from the proxy IP address on the firewall ACL. In case you use SNAT on your forwarding virtual servers, the SNAT address used by the load balancer needs to be permitted on the firewall ACL (as it is replacing the original client IP address or the IP address of the proxy - both are the source IPs).
In case no SNAT is used on the virtual servers, it is necessary to create routes on the ISP router to make sure responses from the internet will be routed back properly to the proxy or to the client by using the floating self IP on northern interface of your BIG-IP as next hop. Is the tcpdump showing something, if you try to get traffic on port 80 through the BIG-IP?Would you provide us the output of the following, please:
tmsh list net vlan tmsh list net self tmsh list net route tmsh list ltm pool tmsh list ltm virtual - Sumanta_88744
Hi Stephan How will I add another L3 forwarding virtual server to use multiple source subnets? I already have the below to direct to default gateway.
ltm virtual /Common/forward-to-Internet_vs { description "Outbound traffic to Internet" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 <<<<>>>>> translate-address disabled translate-port disabled vlans { /Common/vlan-external /Common/vlan-internal } vlans-enabled}
- nitass
How will I add another L3 forwarding virtual server to use multiple source subnets?
you have to duplicate virtual server and configure one source subnet per virtual server.
anyway, you know 0.0.0.0/0 means all subnets, don't you?
- Sumanta_88744I was expecting to include multiple subnets in the source section, i have around 50. Not sure if I can use i-Rule here. Would that impact e-PVA forwarding?
- nitass_89166
How will I add another L3 forwarding virtual server to use multiple source subnets?
you have to duplicate virtual server and configure one source subnet per virtual server.
anyway, you know 0.0.0.0/0 means all subnets, don't you?
- Sumanta_88744I was expecting to include multiple subnets in the source section, i have around 50. Not sure if I can use i-Rule here. Would that impact e-PVA forwarding?
- nitass_89166
I was expecting to include multiple subnets in the source section, i have around 50. Not sure if I can use i-Rule here. Would that impact e-PVA forwarding?
why don't use one virtual server with source 0.0.0.0/0? if you want to forward traffic from some source only, you can drop/reject traffic from other source by irule.
e.g.
when CLIENT_ACCEPTED { if { ![class match -- [IP::client_addr] equals trusted_source] } { reject } }- Sumanta_88744Thanks Nitaas, but I need to specify 50 subnets to just route via F5 to next hop, without going through the port 80 virtual server. So it has to match the L3 forwarding virtual server but not the port 80 vs.
- Sumanta_88744Hi Nitaas See below rule, taken from one of your examples. Is it workable? [root@ve1023:Active] config tmsh list rule myrule rule myrule { when CLIENT_ACCEPTED { if {[class match -- [IP::client_addr] equals subnet_list]}{ node } else { pool http_pool } } } [root@ve1023:Active] config tmsh list class subnet_list class subnet_list { network 172.28.19.0/24 network 172.29.19.0/24 network 172.30.19.0/24 network 172.21.19.0/24 network 172.20.19.0/24 network 172.44.19.0/24 network 172.08.19.0/24 . . . . . network n }
- nitass
I was expecting to include multiple subnets in the source section, i have around 50. Not sure if I can use i-Rule here. Would that impact e-PVA forwarding?
why don't use one virtual server with source 0.0.0.0/0? if you want to forward traffic from some source only, you can drop/reject traffic from other source by irule.
e.g.
when CLIENT_ACCEPTED { if { ![class match -- [IP::client_addr] equals trusted_source] } { reject } }- Sumanta_88744Thanks Nitaas, but I need to specify 50 subnets to just route via F5 to next hop, without going through the port 80 virtual server. So it has to match the L3 forwarding virtual server but not the port 80 vs.
- Sumanta_88744Hi Nitaas See below rule, taken from one of your examples. Is it workable? [root@ve1023:Active] config tmsh list rule myrule rule myrule { when CLIENT_ACCEPTED { if {[class match -- [IP::client_addr] equals subnet_list]}{ node } else { pool http_pool } } } [root@ve1023:Active] config tmsh list class subnet_list class subnet_list { network 172.28.19.0/24 network 172.29.19.0/24 network 172.30.19.0/24 network 172.21.19.0/24 network 172.20.19.0/24 network 172.44.19.0/24 network 172.08.19.0/24 . . . . . network n }
- StephanManthey
How about specifying 2 different wildcard virtual servers:
1. wildcard network virtual on address 0.0.0.0/0 with tcp/80 and source of 0.0.0.0/0 to capture the http traffic to be forwarded to the proxy server
2. wildcard network virtual on address 0.0.0.0/0 with all_protocols/0 and source of 0.0.0.0/0 to capture everything which is not matching tcp/80 and to forward according to the routing table
If multiple servers are configured, the "longest match" by following a precedence described in AskF5 SOL14800.
As I understood from a previous message, your ISP router handles the ACLs, right? But you can still apply plain packet filters or an iRule based ACL or AFM directly on your BIG-IP device.
Btw, a virtual server needs to be enabled only on the VLAN where the traffic is initiated on. I.e. client comes from VLAN "internal" and it´s request should be processed to whereever. So the associated virtual server only needs to be enabled on VLAN "internal" (it tracks the connection internally [including egress VLAN] and established a listener to forward the expected responses back to the client).
