How to config PBR

Hi Stephan I have the below query. What is the difference between "source-address-translation" & "translate-address/port disabled"? Why do we need both?

 

ltm virtual /Common/Transparent-Proxy_vs { description "Transparent-Proxy virtual server" destination /Common/0.0.0.0:80 ip-protocol tcp mask any persist { /Common/Persistence-1 { default yes } } pool /Common/WHTTP_Transparent profiles { /Common/fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vlans { /Common/vlan-ingress } vlans-enabled }

 

Hi Sumanta,

 

the "source-address-translation" is replacing the client´s IP address in the datagram when processing the packet. Leaving it set to enabled for this particular virtual server helps, if the web proxy does not have a route back to the client (responses always needs to be passed back through the BIG-IP - otherwise connections will be broken from the client´s perspective).

 

The "translate-address" parameter allows destination address translation. This is disabled by default for a network virtual server, as it is typically used to forward packets to the destination server.

 

For our specific purpose the "translate-address" needs to be set to enabled, as we want to modify the destination IP address to match the web proxy IP. Otherwise the web proxy will probably discard the packet.

 

Thanks, Stephan

 

is the problem on forward-to-Internet_vs virtual server?

if yes, can you change ip-protocol to any (not tcp) and see if it helps?

ltm virtual /Common/forward-to-Internet_vs { 
  description "Outbound traffic to Internet" 
  destination /Common/0.0.0.0:0 
  ip-forward 
  ip-protocol tcp 
  mask any 
  profiles { 
    /Common/IP-Gateway { } 
  } 
  source 0.0.0.0/0 
  translate-address disabled 
  translate-port disabled 
  vlans { 
    /Common/vlan-1500 
  } 
  vlans-enabled 
}

is the problem on forward-to-Internet_vs virtual server?

if yes, can you change ip-protocol to any (not tcp) and see if it helps?

ltm virtual /Common/forward-to-Internet_vs { 
  description "Outbound traffic to Internet" 
  destination /Common/0.0.0.0:0 
  ip-forward 
  ip-protocol tcp 
  mask any 
  profiles { 
    /Common/IP-Gateway { } 
  } 
  source 0.0.0.0/0 
  translate-address disabled 
  translate-port disabled 
  vlans { 
    /Common/vlan-1500 
  } 
  vlans-enabled 
}

Hi, to capture all interfaces (and to exclude ssh) you may want to run:

 

tcpdump -ei 0.0 not port 22

 

The trace will show incoming traffic and outgoing (in case it´s processed).

 

Can you ping destinations in the internet from your BIG-IP (means your default gateway is configured properly and the ISP router does not block it and responses are returned as well)?

 

Thanks, Stephan

 

In case you want to use the proxy to forward the client requests to the public internet, it will be necessary to allow traffic from the proxy IP address on the firewall ACL. In case you use SNAT on your forwarding virtual servers, the SNAT address used by the load balancer needs to be permitted on the firewall ACL (as it is replacing the original client IP address or the IP address of the proxy - both are the source IPs).

In case no SNAT is used on the virtual servers, it is necessary to create routes on the ISP router to make sure responses from the internet will be routed back properly to the proxy or to the client by using the floating self IP on northern interface of your BIG-IP as next hop.

Is the tcpdump showing something, if you try to get traffic on port 80 through the BIG-IP?

Would you provide us the output of the following, please:

tmsh list net vlan
tmsh list net self  
tmsh list net route  
tmsh list ltm pool  
tmsh list ltm virtual  

Hi Stephan How will I add another L3 forwarding virtual server to use multiple source subnets? I already have the below to direct to default gateway.

          ltm virtual /Common/forward-to-Internet_vs {
description "Outbound traffic to Internet"
destination /Common/0.0.0.0:0
ip-forward
mask any
profiles {
    /Common/IP-Gateway { }
}
source 0.0.0.0/0    <<<<>>>>>
translate-address disabled
translate-port disabled
vlans {
    /Common/vlan-external
    /Common/vlan-internal
}
vlans-enabled

}

How will I add another L3 forwarding virtual server to use multiple source subnets?

 

you have to duplicate virtual server and configure one source subnet per virtual server.

 

anyway, you know 0.0.0.0/0 means all subnets, don't you?

 

How will I add another L3 forwarding virtual server to use multiple source subnets?

 

you have to duplicate virtual server and configure one source subnet per virtual server.

 

anyway, you know 0.0.0.0/0 means all subnets, don't you?

 

I was expecting to include multiple subnets in the source section, i have around 50. Not sure if I can use i-Rule here. Would that impact e-PVA forwarding?

why don't use one virtual server with source 0.0.0.0/0? if you want to forward traffic from some source only, you can drop/reject traffic from other source by irule.

e.g.

when CLIENT_ACCEPTED  {
   if { ![class match -- [IP::client_addr] equals trusted_source] } {
      reject
   }
}