Forum Discussion

sstafford's avatar
sstafford
Icon for Nimbostratus rankNimbostratus
Dec 15, 2009

Irules and Internet connections for Servers with non-routable IP addresses

Hi all,

 

 

I have a situation I'm trying to address via an iRule on the BigIP, and wanted to see what you think.

 

 

We have an internal vlan routed by an F5 that consists of private, non-routable ip addresses, for servers that don't need to reach out beyond the campus network. We have a number of servers in that vlan that are not load-balanced at present--they need to be in that vlan as they use multicast to communicate with servers in the vlan that are load-balanced. When they do need to reach out to other servers on campus, communications flow through a wildcard virtual server, as do incoming connections from campus servers. When this was originally set up, we told the customers' developers to test the setup and make sure everything they needed--which of course they failed to do.

 

 

It turns out that every so often, applications on these servers initiate a connection out to the Internet and download some inventory information--a function which is now broken. FYI, though it does not matter at present--the return connection is apt to come in on any port.

 

 

I think I can address this for each of the servers by putting them in a pool and setting up an iRule based on the destination ip address of the outgoing connection from the servers in the internal vlan--campus ip addresses are sent to the wildcard router, and outside ip addresses are sent to a virtual server on the external vlan, SNAT'ed to a public IP, and set out to the internet.

 

 

What I asking you all is--Is that possible? What else might I need to set up for this to work?

 

Thanks,

 

application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 15, 2009
    Which protocols are the servers using when acting as clients and originating connections to the internet? Is it active FTP or another protocol where the server tries to originate a connection?

     

     

    If not, I'd think you could use a forwarding network virtual server enabled only on their VLAN with SNAT automap enabled. The servers or any other host on that VLAN would then be able to originate connections out to any outbound VLAN using the floating self IP on the egress VLAN.

     

     

    Aaron
  • sstafford's avatar
    sstafford
    Icon for Nimbostratus rankNimbostratus
    Dec 15, 2009
    We've just run across this, but there's a number of protocols that the servers in question use. Off the top of my head there will be FTP, HTTP, HTTPS, Oracle and MySQL, just for starters--not all from the same server. The servers in question are already using a forwarding network virtual server for campus connections, which for various reasons can't be snatted.

     

     

    I keep referring to forwarding network virtual servers as wildcard servers, since that's how they were introduced to me--apologies
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 15, 2009
    You'll need something between the servers (acting as clients) and the internet to perform source address translation. Is the existing VIP defined as 0.0.0.0:0? Could you use the existing forwarding network VIP, but use an iRule to selectively enable SNAT for non-local subnets (or disable SNAT for local subnets)?

     

     

    To support active FTP, you'll need to configure a custom FTP-only 0.0.0.0 VIP.

     

     

    Aaron
  • sstafford's avatar
    sstafford
    Icon for Nimbostratus rankNimbostratus
    Dec 16, 2009
    The existing VIP is defined as 0.0.0.0:0, so that's what I'm trying at the moment, assuming that IP::remote_addr contains the destination IP address. There's an example from the architectiing class that I'm trying to modify. 

         
      when CLIENT_ACCEPTED {      
      check to see if client ip is in the class      
      if { [matchclass [IP::client_addr] equals $:: PrivateOnCampus] } {      
      Check to see if the remote_addr is in the class      
      if { [matchclass [IP::remote_addr] equals $:: OffCampusServers] } {      
      if both of the above are correct, snat it      
      snat 152.xxx.xxx.xxx      
      } else {      
      if no match forward without address rewrite.      
      forward      
      }      
      }      
      }

    I've replaced the snat and forward statements above with logging statements, so I can see first what the traffic looks like.
  • sstafford's avatar
    sstafford
    Icon for Nimbostratus rankNimbostratus
    Dec 16, 2009
    Ok, think I've got it. 

     
 when CLIENT_ACCEPTED { 
 check to see if client ip is in the class 
 if { [matchclass [IP::client_addr] equals $::privateOnCampus] } { 
 Check to see if the remote ip is in the class 
 Since this is an outgoing connection, it will use IP::local_addr 
 if { [matchclass [IP::local_addr] equals $::offCampusServers] } { 
 if both of the above are correct, log it, and snat it 
 log local0. "Match [IP::client_addr] server [IP::local_addr]" 
 snat 152.19.240.2 
 } else { 
 if no match forward without address rewrite. 
 forward 
 }  
 }  
 }
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 16, 2009
    Yep, that should be fine. You shouldn't need to specify forward as that's what the VIP will do. You can just remove the else clause. But it doesn't hurt anything to have it in the rule.

     

     

    Aaron