Forum Discussion
Cirrostratusirule to change source port
Hi,
I tried to find something in existing posts but failed. My issue is how to change source port of client side connection:
- VS is accepting responses from www server (so from port 80) on internal (wildcard VS no address and port translation)
- Source port (80) should be changed to some other port on the external VLAN
www server to VS
IP_WWW:80->IPClient_high_port (entering LTM on internal)
VSSNAT:99->IPClient_high_port (leaving LTM on external)
so src port changed from 80 t0 99
Piotr
16 Replies
giltjrNimbostratus
Are you sure the source port is 80? Normally the port 80 is the target port (that is destination) for http traffic and the source port is is a random high port.
dragonflymrYes, I am sure. This is kind of nPath config where connection is entering DC via one BIG-IP cluster and leaving via another. Each cluster is seeing just half of the connection. I am trying to find solution for situation when entry cluster is using VS with port translation, so VS is listening on port 80 but pool members on for example 8080. Then connection leaving DC via another cluster is sourced from different port than was target for entering connection - in the end connection is reset because of port mismatch. I need to intercept leaving packets (via wildcard or other VS) and translate source port back to 80. Figured out address translation using SNAT pool but I am stuck with source port.
Piotr
- nitass
Employee
i think you have to create 2 virtual servers; one for request and the other one for response. each virtual server uses profile with immediate timeout (stateless) because if it is not stateless, response will not hit the response virtual server (it will hit existing connection entry in connection table), so you cannot control source port.
to change source port, you may try snat command but please be noted that the source port you want may not be available on that tmm depending on disaggregation method system uses e.g. source port xor destination port.
snat
https://devcentral.f5.com/wiki/iRules.snat.ashx- nitasssorry i forgot. since profile idle timeout is immediate, it seems you can use whatever port you want.
nitass_89166Noctilucent
i think you have to create 2 virtual servers; one for request and the other one for response. each virtual server uses profile with immediate timeout (stateless) because if it is not stateless, response will not hit the response virtual server (it will hit existing connection entry in connection table), so you cannot control source port.
to change source port, you may try snat command but please be noted that the source port you want may not be available on that tmm depending on disaggregation method system uses e.g. source port xor destination port.
snat
https://devcentral.f5.com/wiki/iRules.snat.ashx- nitass_89166sorry i forgot. since profile idle timeout is immediate, it seems you can use whatever port you want.
- dragonflymr
@nitass, I know how to do asymmetric routing part (thanks to you :-). It is of course based on two VSs, one per cluster. I am struggling with part related to outgoing VS iRule. Form your answer it seems that isted of configuring SNAT using VS options I should do it in iRule using SNAT command. I am not yet to fluent is this part so if you can post some iRule for that I will appreciate it a lot. I doubt there will be problem with port already used as this is answer to client call so tuples should be different.
Piotr
- nitass_89166
i do not have asymmetric routing in lab. what i am doing here is to snat to specific port number.
my bigip has 2 tmm. virtual server and pool member ports are 80. so, normally if source port on client-side is even, server-side will be even too. this make sure response will hit the same tmm it is sent out (by default, tmm is chosen by source port xor destination port).
anyway, it seems that when profile idle timeout is immediate, i am able to use whatever source port number on server-side (no need to be odd or even port number as source port on client-side).
configuration root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { fastl4_immediate { } } rules { qux } source 0.0.0.0/0 vs-index 11 } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { snat 200.200.200.88 1111 } } trace [root@ve11c:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 02:34:20.455993 IP 172.28.24.1.1000 > 172.28.24.10.80: S 1290584564:1290584564(0) win 512 in slot1/tmm0 lis= 02:34:20.456085 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1290584564:1290584564(0) win 512 out slot1/tmm0 lis=/Common/bar 02:34:21.457089 IP 172.28.24.1.1001 > 172.28.24.10.80: S 1397167148:1397167148(0) win 512 in slot1/tmm1 lis= 02:34:21.457178 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1397167148:1397167148(0) win 512 out slot1/tmm1 lis=/Common/bar 02:34:22.458724 IP 172.28.24.1.1002 > 172.28.24.10.80: S 1258304707:1258304707(0) win 512 in slot1/tmm0 lis= 02:34:22.458821 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1258304707:1258304707(0) win 512 out slot1/tmm0 lis=/Common/bar- dragonflymrThanks a lot. Will test it tomorrow. Not sure yet what is importance of timeout but probably will find out by trial and error :-) Do you think it matters when different clusters are processing incoming and outgoing traffic? BTW is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? Whole setup is created in relation to using AFM module and implementing firewall solution with asymmetric routing option. Piotr
- nitass_89166>Do you think it matters when different clusters are processing incoming and outgoing traffic? i cannot say if it is right/wrong or should/shouldn't but i think it can be done. >is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? i do not know the reason why snat command is not available in FLOW_INIT. if you have a good use case, you can raise request for enhancement via support case. :-)
- dragonflymrOK, will see if it works, I did not say it won't because I did nt have yet chace to test. Thanks a lot, it's always great to have help from you! Piotr
- nitass
i do not have asymmetric routing in lab. what i am doing here is to snat to specific port number.
my bigip has 2 tmm. virtual server and pool member ports are 80. so, normally if source port on client-side is even, server-side will be even too. this make sure response will hit the same tmm it is sent out (by default, tmm is chosen by source port xor destination port).
anyway, it seems that when profile idle timeout is immediate, i am able to use whatever source port number on server-side (no need to be odd or even port number as source port on client-side).
configuration root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { fastl4_immediate { } } rules { qux } source 0.0.0.0/0 vs-index 11 } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { snat 200.200.200.88 1111 } } trace [root@ve11c:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 02:34:20.455993 IP 172.28.24.1.1000 > 172.28.24.10.80: S 1290584564:1290584564(0) win 512 in slot1/tmm0 lis= 02:34:20.456085 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1290584564:1290584564(0) win 512 out slot1/tmm0 lis=/Common/bar 02:34:21.457089 IP 172.28.24.1.1001 > 172.28.24.10.80: S 1397167148:1397167148(0) win 512 in slot1/tmm1 lis= 02:34:21.457178 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1397167148:1397167148(0) win 512 out slot1/tmm1 lis=/Common/bar 02:34:22.458724 IP 172.28.24.1.1002 > 172.28.24.10.80: S 1258304707:1258304707(0) win 512 in slot1/tmm0 lis= 02:34:22.458821 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1258304707:1258304707(0) win 512 out slot1/tmm0 lis=/Common/bar- dragonflymrThanks a lot. Will test it tomorrow. Not sure yet what is importance of timeout but probably will find out by trial and error :-) Do you think it matters when different clusters are processing incoming and outgoing traffic? BTW is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? Whole setup is created in relation to using AFM module and implementing firewall solution with asymmetric routing option. Piotr
- nitass>Do you think it matters when different clusters are processing incoming and outgoing traffic? i cannot say if it is right/wrong or should/shouldn't but i think it can be done. >is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? i do not know the reason why snat command is not available in FLOW_INIT. if you have a good use case, you can raise request for enhancement via support case. :-)
- dragonflymrOK, will see if it works, I did not say it won't because I did nt have yet chace to test. Thanks a lot, it's always great to have help from you! Piotr
- dragonflymr
@nitass, Thanks a lot for help with iRule, working like a charm :-)
I just figured out that I am not sure what did you meant by:
"sorry i forgot. since profile idle timeout is immediate, it seems you can use whatever port you want" - you mean fastL4 Idle Timeout? I changed it to 51 (I think it was advised in some SOL for TCP - or maybe UDP - have to check it). Anyway it's not immediate but whole setup still seems to be working without problem.
Piotr
