Forum Discussion
NimbostratusHow to config PBR
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
78 Replies
- nitass
Employee
Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
if there are number of ip/subnet, you can use "class match" command instead of IP::addr. ip/subnet is defined in ip type data group.
class
https://devcentral.f5.com/wiki/irules.class.ashx
Sumanta_88744Cirrus
Hi Need help as this is really confusing. I am unable to come up with the exact i Rule to go into the F5 LTM config. What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4) and rest traffic would be forwarded to the default next hop for F5 (10.206.0.8). Will pasting the below in config work? I am not aware of TCL scripts. 10.206.0.4 and 10.206.0.8 are two diff L3 segments on F5. when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if { if { [IP::addr [IP::local_addr] equals 10.1.0.0/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 or [TCP::local_port] == 8080) } if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will SNAT" snat automap } else { pool pool_hop_1 log local0. "PBR on port 80/8080/443 successful" } } } The VS configs are given below, first one is the Application server VS and the next one is the L3 forwarding VS (F5 is in a three legged design, one hop towards internal network, one hop towards external network and the other to real server pool):- ltm virtual /Common/WHTTP_vs { description "WHTTP virtual server" destination /Common/10.206.0.4:8080 ip-protocol tcp mask 255.255.255.255 persist { /Common/MSP-Persistence { default yes } } pool /Common/WHTTP profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/radio-external } vlans-enabled ltm virtual /Common/forwardToInternet_vs { address-status no description "Outbound traffic to ISP" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/www-internal } vlans-enabled
- nitass_89166
Noctilucent
What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4)
is it only when connecting to 10.206.0.4:8080?
if yes, can't we just enable WHTTP_vs virtual server on www-internal vlan (i.e. add www-internal vlan to the WHTTP_vs virtual server)?
- Sumanta_88744Thanks Nitaas But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers. So you say no i_Rule needed at all?
- nitass
What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4)
is it only when connecting to 10.206.0.4:8080?
if yes, can't we just enable WHTTP_vs virtual server on www-internal vlan (i.e. add www-internal vlan to the WHTTP_vs virtual server)?
- Sumanta_88744Thanks Nitaas But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers. So you say no i_Rule needed at all?
- nitass_89166
But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers.
what is 10.99.0.0/24? was it typo? if you mean 10.1.0.0/24 and 10.2.0.0/24, other traffic such as port 22 will match forwardToInternet_vs virtual server and be sent to internet gateway. it won't match WHTTP_vs virtual server because destination is not 10.206.0.4:8080.
So you say no i_Rule needed at all?
yes
- Sumanta_88744Hi Nitaas What I mean is traffic from a sample internal subnet 10.99.0.0/24 will go directly to Internet gateway, without being forwarded to VS 10.206.0.4:8080 at all. That traffic might be FTP, SSH, etc. Only port 80/443/8080 traffic from 10.1.0.0/24 and 10.2.0.0/24 has to go to the VS 10.206.0.4:8080 for further treatment by my App servers. But F5 is working as a L3 hop between internal LAN and ISP. Usually I could have done this with PBR in normal switch/router, but don't know how to do it in F5. That's why I was searching for exact the i-Rule.
- nitass
But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers.
what is 10.99.0.0/24? was it typo? if you mean 10.1.0.0/24 and 10.2.0.0/24, other traffic such as port 22 will match forwardToInternet_vs virtual server and be sent to internet gateway. it won't match WHTTP_vs virtual server because destination is not 10.206.0.4:8080.
So you say no i_Rule needed at all?
yes
- Sumanta_88744Hi Nitaas What I mean is traffic from a sample internal subnet 10.99.0.0/24 will go directly to Internet gateway, without being forwarded to VS 10.206.0.4:8080 at all. That traffic might be FTP, SSH, etc. Only port 80/443/8080 traffic from 10.1.0.0/24 and 10.2.0.0/24 has to go to the VS 10.206.0.4:8080 for further treatment by my App servers. But F5 is working as a L3 hop between internal LAN and ISP. Usually I could have done this with PBR in normal switch/router, but don't know how to do it in F5. That's why I was searching for exact the i-Rule.
- nitass_89166
What I mean is traffic from a sample internal subnet 10.99.0.0/24 will go directly to Internet gateway, without being forwarded to VS 10.206.0.4:8080 at all. That traffic might be FTP, SSH, etc. Only port 80/443/8080 traffic from 10.1.0.0/24 and 10.2.0.0/24 has to go to the VS 10.206.0.4:8080 for further treatment by my App servers.
i am a bit confused. virtual server is destination listener object. it (virtual server) will be triggered only when traffic matches address and port configured in destination setting.
for example, only traffic destined to 10.206.0.4 and port 8080 will trigger 10.206.0.4:8080. other traffic won't match the virtual server.
sol14800: Order of precedence for virtual server matching (11.3.0 and later)
http://support.f5.com/kb/en-us/solutions/public/14000/800/sol14800.html- Sumanta_88744Hi Nitaas In my example, the end client is not hitting the virtual address directly. It just passes traffic through the F5 as a L3 hop. Based on the specified port 80/8080, the F5 redirects forward traffic to the virtual address and associated server pools. For rest traffic, the F5 is supposed to route to Internet gateway hop. I hope I could make it clearer.
- nitass
What I mean is traffic from a sample internal subnet 10.99.0.0/24 will go directly to Internet gateway, without being forwarded to VS 10.206.0.4:8080 at all. That traffic might be FTP, SSH, etc. Only port 80/443/8080 traffic from 10.1.0.0/24 and 10.2.0.0/24 has to go to the VS 10.206.0.4:8080 for further treatment by my App servers.
i am a bit confused. virtual server is destination listener object. it (virtual server) will be triggered only when traffic matches address and port configured in destination setting.
for example, only traffic destined to 10.206.0.4 and port 8080 will trigger 10.206.0.4:8080. other traffic won't match the virtual server.
sol14800: Order of precedence for virtual server matching (11.3.0 and later)
http://support.f5.com/kb/en-us/solutions/public/14000/800/sol14800.html- Sumanta_88744Hi Nitaas In my example, the end client is not hitting the virtual address directly. It just passes traffic through the F5 as a L3 hop. Based on the specified port 80/8080, the F5 redirects forward traffic to the virtual address and associated server pools. For rest traffic, the F5 is supposed to route to Internet gateway hop. I hope I could make it clearer.
- nitass
the end client is not hitting the virtual address directly.
the virtual server address is not self ip, is it?
- Sumanta_88744The virtual server is on floating VIP. Let me clarify a bit more. A sample packet coming from end client has Src Addr: 10.1.0.100/24 Src port: (>1024); Dst Addr: google.com Dst port: 80/443. This traffic needs to go to virtual server with floating IP 10.206.0.4 and load balanced to the real server pool. Other traffic, say Src Addr: 10.1.0.100/24 Src port: (>1024); Dst Addr: www.f5.com Dst port: SFTP needs to go directly to the ISP gateway. We need to do this routing in F5. Usually, for F5 advised set-up, we directly hit the virtual server address, but not here. User transparently goes to the Internet, not knowing an F5 is sitting in between LAN and ISP.
- nitassis pool /Common/WHTTP cache server pool? if yes, you may create new virtual servers on port 80 and port 443 (i.e. 0.0.0.0/0:80 and 0.0.0.0/0:443) and use /Common/WHTTP as a pool.
- Sumanta_88744yes Nitaas, WHTTP is a pool of proxy cache servers. How do I post diagram here?
- nitass_89166
the end client is not hitting the virtual address directly.
the virtual server address is not self ip, is it?
- Sumanta_88744The virtual server is on floating VIP. Let me clarify a bit more. A sample packet coming from end client has Src Addr: 10.1.0.100/24 Src port: (>1024); Dst Addr: google.com Dst port: 80/443. This traffic needs to go to virtual server with floating IP 10.206.0.4 and load balanced to the real server pool. Other traffic, say Src Addr: 10.1.0.100/24 Src port: (>1024); Dst Addr: www.f5.com Dst port: SFTP needs to go directly to the ISP gateway. We need to do this routing in F5. Usually, for F5 advised set-up, we directly hit the virtual server address, but not here. User transparently goes to the Internet, not knowing an F5 is sitting in between LAN and ISP.
- nitass_89166is pool /Common/WHTTP cache server pool? if yes, you may create new virtual servers on port 80 and port 443 (i.e. 0.0.0.0/0:80 and 0.0.0.0/0:443) and use /Common/WHTTP as a pool.
- Sumanta_88744yes Nitaas, WHTTP is a pool of proxy cache servers. How do I post diagram here?
- ccb
Hi Sumanta,
I'm starting to think that you might not need a PBR iRule after all after reading the above conversation between yourself and Nitass. What you may be looking to achieve is adding a few routes to your configuration. However you need to provide more information. Please provide the details regarding your vlans, selfips and routes using the following tmsh commands below. A very basic high level diagram will also help if you have one showing where the subnets reside, where you have placed the virtual servers and where is the ISP router.
tmsh list net self tmsh list net vlan tmsh list net route
Also your iRule above looks to have an unnecessary if { if { condition. Also you are missing a closing bracket. Anyway we can park that for now. Lets see if adding simple routes might be able to solve your problem.
Thanks
