iRule to change IP destination

Hi David,

 

There seems to be some information missing here to get the picture of what exactl you are trying to do. Pardon me for asking some questions. But I reall do want to understand whe

 

 

Is A (Client) sending a node behind the bigip? or does B represent a VIP?

 

What does "...message is redirected but the IP in the packet is not changed" mean? Who's IP?

 

 

CB

 

 

Ok sorry for not being clear. Here is the exact scenario;

 

 

A, B, C are three machines physically connected to the BIG-IP which functions in transparent mode. A, B, C have all three real IP in my network ; let's say 192.168.100.1, 192.168.100.2, 192.168.100.3.

 

 

What I am doing currently is that I have defined a Pool with only one member which is C. I have written an iRule that sends the packet coming from A going to B to C. I used simply the command pool Pool_with_C.

 

 

This iRule works BUT BIG-IP only redirects the packet (i.e. change only the MAC address). I would like that BIG-IP changes also the layer 3 i.e. the destination IP address (B <-> C). C should then receive the packet with a source IP of 192.168.100.1 and a destination address of 192.168.100.3 and not 192.168.100.2.

 

 

Is that clearer ?

 

 

Thanks again for your help,

 

 

David.

 

 

Hi David,

 

 

If you want the LTM to translate the destination for requests sent to the pool, you can enable address translation on the virtual server advanced properties. It should be enabled by default. If you want to specify a new IP address to send the traffic to using an iRule, you can use the node command (Click here).

 

 

Aaron

yesssssss ! you made my day. Address translation was not activated !

 

 

Thanks again.

Hmmm ... the problem is that this Adress Translation option has solved the issue but nothing works anymore ...

 

This has nothing to do with iRule of course but with my BIG-IP configuration which is quiet strange (used in transparent mode).

 

 

I'll better contact f5 to get support for that ... but as you guys seem brillant if you have any idea, feel free to share.

 

Quickly my configuration is:

 

 

1 VS for UDP on port 5060 (Standard)

 

4 servers physically connected to the BIG-IP

 

 

BIG-IP works in transparent mode so the self-ip never appears.

 

The problem is: once the Address Translation is activated, the packets stay blocked inside the BIG-IP. For example when eth0 (a phone) tried to contact eth1 (a call manager) I can see the packets entering in the BIG-IP but they never

 

go out to the interface eth1.

 

 

Any idea how to solve this?

 

 

Thx,

 

 

David

What kind of a VIP are you using the iRule on? Can you post the output from 'b virtual VIP_NAME list'?

 

 

Are you wanting to have the VIP only translate the destination address if a specific pool member is selected and leave the destination address for all other requests to the pool untranslated? If so, you could use the node command in an iRule.

 

 

Can you give a bit more background on what traffic is being passed through the VIP and what address translation you want to happen under which circumstances?

 

 

Aaron

First, thanks for your help. Here are the details about my configuration. Im using BIG-IP for a VOIP platform. Its unusual specially as BIGIP is not used as a load balancer but mainly as a packet inspector that redirect the SIP traffic to certain SIP Application server directly plugged to the BIGIP.

 

 

The VS I am using to apply the iRules is a Standard VS, Destination = Network (0.0.0.0/0.0.0.0), configured for UDP, port 5060, with a SIP Profile.

 

Hence, in virtual address list I have only 0.0.0.0.

 

 

There are 4 machines directly plugged to the BIG-IP. Here is the type of things I want to achieve:

 

on eth0, one phone is connected to the BIG-IP. It is in VLAN1 (untagged).

 

on eth1, there is a call manager connected to the BIGIP. It is VLAN2 (untagged).

 

on eth2, there is a SIP AS. It is VLAN3 (untagged).

 

 

They all belong to a VLAN Group. I have added one route which is "Use Gateway 192.168.100.1" so that all traffic goes through BIGIP. The three machines are all in the same VLAN, the traffic is then untagged.

 

 

What I want to achieve is to redirect the traffic for certain SIP messages. For example, I have defined an iRule with:

 

if {[SIP::method] equals "NOTIFY"} {

 

pool SIPApplicationServer_pool

 

}

 

 

where SIPApplicationServer_pool is a pool defined with only one member.

 

 

It does the job: when a phone on eth0 sends a NOTIFY to the call manager on eth1, BIG-IP applies the iRule and sends

 

the packet to eth2 instead. The problem is:

 

 

- in my VS: if Address Translation is disabled, I can see the packet on the SIP AS with Wireshark, but the IP Destination address did not change. It is still the IP address of the call manager. Same if I use the command node.

 

 

- If Adress Translation is enabled, it works! But all the traffic gets stuck in the BIG-IP. It doesn't know where to send the packets anymore. I see them entering but not going out.

 

 

David

 

Are you setting the pool in the rule in the CLIENT_ACCEPTED event? If so, can you disable address translation on the virtual server and test the following rule:

 

 

when CLIENT_ACCEPTED {
    Check if the SIP method is NOTIFY
   if {[SIP::method] equals "NOTIFY"} {
      node 1.1.1.1 5060
   }
}

 

 

Replace 1.1.1.1 with the actual pool member address. I think this should allow you to hard code the destination IP and port for SIP NOTIFY requests only.

 

 

You might also want to add a monitor to the SIPApplicationServer_pool and use logic in the rule to check that the pool is up before setting the node to use. You can use [active_members SIPApplicationServer_pool > 0] to see if there is at least one member marked up.

 

 

Aaron

Actually, I just read your post again and saw "Same if I use the command node.".

So what about taking the opposite approach and enabling address translation on the VIP, but setting the destination address to what the client requested if it's not a NOTIFY request?

when CLIENT_ACCEPTED {
    Check if the SIP method is not NOTIFY
   if {not ([SIP::method] equals "NOTIFY")} {
      node [IP::local_addr] 5060
   }
}

Else, if this doesn't work, I'm interested to hear what F5 has to say.

Aaron

not sure if this can help .... (I confess that I dont understand your configuration much)

 

but the idea is to

 

- enable address translation

 

- and in iRule, use command "forward" for traffic that you does not want to activate address translation

 

- use command node or pool for traffic that you want to translate address

 

 

I got this from devcentral when I asked how to mix transparent and non-transparent traffic for my http proxy irule

 

 

I guess you may have to configure appropriate routing or use command nexthop

 

nexthop ip

 

nexthop vlan ip

 

nexthop vlan mac