Forum Discussion
hung_37471
Nimbostratus
NimbostratusHow to config PBR
hi all
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
78 Replies
- nitass
Employee
wouldn't F5 modified dst ip of packets to next hop ip address of a member selected? What we want is just to send it out the way we want but not to alter its dst ip. when creating wildcard virtual server, by default translate address and service are disabled. so, destination address won't be changed when packet is sending out.[root@iris:Active] config b virtual test list all virtual test { enable limit 0 rate class none mirror disable translate address disable translate service disable srcport preserve pool snat none cmp enable cmp processor none lasthop pool none snatpool none pool gw1 fallback persist none destination any:any mask 0.0.0.0 ip protocol tcp partition Common rules none httpclass none persist none auth none clone pools none profiles tcp { all } traffic classes none vlans none disable } [root@iris:Active] config b pool gw1 list pool gw1 { members 172.28.17.254:any {} } [root@iris:Active] config b route list No Routing Table Entries were found. [root@iris:Active] config tcpdump -nni 0.0 -e port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 12:13:18.896745 00:01:d7:20:81:85 > 00:01:d7:2f:0d:c3, ethertype 802.1Q (0x8100), length 78: vlan 4094, p 0, ethertype IPv4, 10.10.72.60.59619 > 8.8.8.8.80: S 865485221:865485221(0) win 5840 12:13:18.896802 00:01:d7:2f:0d:c3 > 00:01:d7:20:81:85, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 8.8.8.8.80 > 10.10.72.60.59619: S 1705596133:1705596133(0) ack 865485222 win 4380 12:13:18.897850 00:01:d7:20:81:85 > 00:01:d7:2f:0d:c3, ethertype 802.1Q (0x8100), length 70: vlan 4094, p 0, ethertype IPv4, 10.10.72.60.59619 > 8.8.8.8.80: . ack 1 win 46 12:13:18.897925 00:01:d7:2f:0d:c4 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 82: vlan 4093, p 0, ethertype IPv4, 10.10.72.60.59619 > 8.8.8.8.80: S 3006714883:3006714883(0) win 4380 5 packets captured 5 packets received by filter 0 packets dropped by kernel [root@iris:Active] config b arp 172.28.17.254 ARP 172.28.17.254 - 00:01:E8:D5:D4:47 VLAN external expire 269s resolved 
Parinya_EkparinThank you, nitass.
From your answer, let me explain my understanding and please correct me if something wrong:
- 'translate address' is a setting that allow/disallow virtual server to alter dst ip in the packet, right?
- the same goes for 'translate server'. Is it a setting that allow/disallow virtual server to alter dst port?
So what exactly happened when F5 try to send packet out if we disable 'translate address'?
My guess is F5 try to send packet to a selected member in selected pool according to its routing table, however not to alter dst ip? Is that correct?- nitassMy guess is F5 try to send packet to a selected member in selected pool according to its routing table, however not to alter dst ip? Is that correct?something like that. anyway, u know pool is connected subnet, so no routing is needed.
- Parinya_EkparinAgain, thanks.
I'll try to set things up with virtual machines. See the real thing works help me learn faster and easier, I hope. :) 
Sumanta_88744Cirrus
Hi Experts
How will I modify the below PBR (i-Rule) to include port based forwarding? For example, I need to route traffic based on port 80/443 towards specific virtual server, for rest of the traffic, it should get routed, with F5 acting as a L3 hop.
when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 10.0.0.1/24 ]}{ pool pool_hop_1 } elseif { [IP::addr [IP::client_addr] equals 192.168.1.0/24]}{ pool pool_hop_2 } else { pool pool_hop_3 }}
- ccb
Hi,
Try this (haven't tested in a lab). Obviously pool named pool_hop_1 must exist.
when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if { [TCP::local_port clientside] equals 80 } { if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will SNAT" snat automap } else { pool pool_hop_1 log local0. "PBR on port 80 successful" } } } - nitass_89166
Noctilucent
how do I combine both conditions of IP address & port?
e.g.
if { [IP::addr [IP::local_addr] equals 10.0.0.1/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 ) } {[active_members pool_hop_1] < 1
active_members command is used to make sure pool_hop_1 pool is up before sending traffic to.
active_members
https://devcentral.f5.com/wiki/iRules.active_members.ashx- Sumanta_88744Thanks Nitass Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
- nitass
how do I combine both conditions of IP address & port?
e.g.
if { [IP::addr [IP::local_addr] equals 10.0.0.1/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 ) } {[active_members pool_hop_1] < 1
active_members command is used to make sure pool_hop_1 pool is up before sending traffic to.
active_members
https://devcentral.f5.com/wiki/iRules.active_members.ashx- Sumanta_88744Thanks Nitass Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
- nitass
Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
if there are number of ip/subnet, you can use "class match" command instead of IP::addr. ip/subnet is defined in ip type data group.
class
https://devcentral.f5.com/wiki/irules.class.ashx- Sumanta_88744Hi Need help as this is really confusing. I am unable to come up with the exact i Rule to go into the F5 LTM config. What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4) and rest traffic would be forwarded to the default next hop for F5 (10.206.0.8). Will pasting the below in config work? I am not aware of TCL scripts. 10.206.0.4 and 10.206.0.8 are two diff L3 segments on F5. when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if { if { [IP::addr [IP::local_addr] equals 10.1.0.0/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 or [TCP::local_port] == 8080) } if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will SNAT" snat automap } else { pool pool_hop_1 log local0. "PBR on port 80/8080/443 successful" } } } The VS configs are given below, first one is the Application server VS and the next one is the L3 forwarding VS (F5 is in a three legged design, one hop towards internal network, one hop towards external network and the other to real server pool):- ltm virtual /Common/WHTTP_vs { description "WHTTP virtual server" destination /Common/10.206.0.4:8080 ip-protocol tcp mask 255.255.255.255 persist { /Common/MSP-Persistence { default yes } } pool /Common/WHTTP profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/radio-external } vlans-enabled ltm virtual /Common/forwardToInternet_vs { address-status no description "Outbound traffic to ISP" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/www-internal } vlans-enabled
- nitass_89166
Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
if there are number of ip/subnet, you can use "class match" command instead of IP::addr. ip/subnet is defined in ip type data group.
class
https://devcentral.f5.com/wiki/irules.class.ashx- Sumanta_88744Hi Need help as this is really confusing. I am unable to come up with the exact i Rule to go into the F5 LTM config. What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4) and rest traffic would be forwarded to the default next hop for F5 (10.206.0.8). Will pasting the below in config work? I am not aware of TCL scripts. 10.206.0.4 and 10.206.0.8 are two diff L3 segments on F5. when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if { if { [IP::addr [IP::local_addr] equals 10.1.0.0/24] and ( [TCP::local_port] == 80 or [TCP::local_port] == 443 or [TCP::local_port] == 8080) } if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will SNAT" snat automap } else { pool pool_hop_1 log local0. "PBR on port 80/8080/443 successful" } } } The VS configs are given below, first one is the Application server VS and the next one is the L3 forwarding VS (F5 is in a three legged design, one hop towards internal network, one hop towards external network and the other to real server pool):- ltm virtual /Common/WHTTP_vs { description "WHTTP virtual server" destination /Common/10.206.0.4:8080 ip-protocol tcp mask 255.255.255.255 persist { /Common/MSP-Persistence { default yes } } pool /Common/WHTTP profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/radio-external } vlans-enabled ltm virtual /Common/forwardToInternet_vs { address-status no description "Outbound traffic to ISP" destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/www-internal } vlans-enabled
