Forum Discussion
dragonflymr
Cirrostratus
Cirrostratusirule to change source port
Hi,
I tried to find something in existing posts but failed. My issue is how to change source port of client side connection:
VS is accepting responses from www server (so from port 80) on ...
nitass_89166
Noctilucent
Noctilucenti do not have asymmetric routing in lab. what i am doing here is to snat to specific port number.
my bigip has 2 tmm. virtual server and pool member ports are 80. so, normally if source port on client-side is even, server-side will be even too. this make sure response will hit the same tmm it is sent out (by default, tmm is chosen by source port xor destination port).
anyway, it seems that when profile idle timeout is immediate, i am able to use whatever source port number on server-side (no need to be odd or even port number as source port on client-side).
configuration
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:80
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
fastl4_immediate { }
}
rules {
qux
}
source 0.0.0.0/0
vs-index 11
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
members {
200.200.200.101:80 {
address 200.200.200.101
}
}
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
snat 200.200.200.88 1111
}
}
trace
[root@ve11c:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:34:20.455993 IP 172.28.24.1.1000 > 172.28.24.10.80: S 1290584564:1290584564(0) win 512 in slot1/tmm0 lis=
02:34:20.456085 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1290584564:1290584564(0) win 512 out slot1/tmm0 lis=/Common/bar
02:34:21.457089 IP 172.28.24.1.1001 > 172.28.24.10.80: S 1397167148:1397167148(0) win 512 in slot1/tmm1 lis=
02:34:21.457178 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1397167148:1397167148(0) win 512 out slot1/tmm1 lis=/Common/bar
02:34:22.458724 IP 172.28.24.1.1002 > 172.28.24.10.80: S 1258304707:1258304707(0) win 512 in slot1/tmm0 lis=
02:34:22.458821 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1258304707:1258304707(0) win 512 out slot1/tmm0 lis=/Common/bar
dragonflymrThanks a lot. Will test it tomorrow. Not sure yet what is importance of timeout but probably will find out by trial and error :-) Do you think it matters when different clusters are processing incoming and outgoing traffic? BTW is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? Whole setup is created in relation to using AFM module and implementing firewall solution with asymmetric routing option. Piotr- nitass_89166>Do you think it matters when different clusters are processing incoming and outgoing traffic? i cannot say if it is right/wrong or should/shouldn't but i think it can be done. >is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? i do not know the reason why snat command is not available in FLOW_INIT. if you have a good use case, you can raise request for enhancement via support case. :-)
- dragonflymrOK, will see if it works, I did not say it won't because I did nt have yet chace to test. Thanks a lot, it's always great to have help from you! Piotr
