Forum Discussion

Jison111's avatar
Jison111
Icon for Nimbostratus rankNimbostratus
Jan 07, 2025

iRule to Force Source IP to Specific Backend Node

Hi everyone,

Hope someone could help me with this kind of setup. We need an iRule to force specific IPs to connect on specific backend server of the VS. Please see flow below.

 

Client (1.1.1.1) when connecting to VS1 traffic should go to Node1

Client (2.2.2.2) when connecting to VS1 traffic should go to Node2

 

I saw this discussion but I think there's something to add? Instead of deny. Thank you so much.

https://community.f5.com/discussions/technicalforum/f5-whitelisting-allowing-a-specific-range-of-traffic-to-vs/195967

  • Jison111 to force the source IP to a specific Pool member you can use an Irule or an LTM Policy.

    I found some information that could help answer your questions on our myf5 portal, please click on the links below .

    K43431442: Configuring an iRule to select an alternate Pool from the Default Pool based on client IP address.
    https://my.f5.com/manage/s/article/K43431442

    K73862425: Creating external data groups
    https://my.f5.com/manage/s/article/K73862425

    https://clouddocs.f5.com/api/irules/IP__client_addr.html

    I hope this helps.

  • Thanks, everyone on you suggestions. It was solved by irule on each VIPs

  • Jison111 You can definitely force traffic to a specific node or pool member in a pool based on source IP but when you do that it tends to cause some persistence issues. What I would recommend is configuring a pool for each pool member and then one pool with all three pool members in it. Use the pool with all three members as the default pool to balance traffic to and then if a specific source IP comes in then you balance traffic to the respective pool with the pool member you would like to use which will reduce the chance of persistence issues that have been encountered before when forcing traffic to a specific node or pool member inside a pool with multiple members. So the logic should be as follows.

    client request -> VS -> pool with all pool members in it
    client request with specific source IP -> VS -> pool with single pool member for that source IP

    You would use an iRule or Traffic Policy, I prefer iRules when I can use them.

  • instead of irules, you can use gui based local traffic policy.

    put node1 to pool1 and node2 to pool2
    create lt policy and rules such as below
    then attach the lt policy to the vserver

     

  • Jison111 to force the source IP to a specific Pool member you can use an Irule or an LTM Policy.

    I found some information that could help answer your questions on our myf5 portal, please click on the links below .

    K43431442: Configuring an iRule to select an alternate Pool from the Default Pool based on client IP address.
    https://my.f5.com/manage/s/article/K43431442

    K73862425: Creating external data groups
    https://my.f5.com/manage/s/article/K73862425

    https://clouddocs.f5.com/api/irules/IP__client_addr.html

    I hope this helps.