Local Traffic Policy and forward to virtual not working

Cirrostratus

Jun 14, 2016

Hi,

Here is overview:

VS1 - Standard type working as a switching device - depending on some conditions traffic should be directed to different virtual servers, for example one working as explicit forward proxy with authentication and URL Filtering or to Forwarding (IP) type working as L4 firewall (AFM polices applied). Probably this VS1 could be as well explicit forward proxy type with proxy disabling using iRule commands depending on some devised logic.
Issue with proxy request from client is that we know source IP:port but not target IP:port. Target IP port can only be evaluated after L7 processing via parsing HTTP request. I am doing it via iRule so I can use target IP:port for further processing.
Now there is issue I am trying to solve - how to pass traffic to another virtual using retrieved target IP:port. If I will use virtual "name of target VS" traffic is passed but target IP:port is equal to IP:port of source VS.

Based on your post (as well as info from release notes of 12.0.0HF3 and 12.1.0) I tried to use this new syntax of virtual command - add retrieved target IP:port to the call: virtual "name of target VS" targetIP targetPort.

Problem is that whatever I tried to do target VS is always receiving traffic with target IP:port of sending VS instead of target IP, target port set in virtual command.

So either I am doing something wrong or there is some issue with this new syntax.

I am a bit puzzled by one sentence from new syntax description:

= the name of the virtual server to redirect the connection from.`

How I can specify name of the source server in iRule attached to this server? At least I understand above liket that. Shouldn't it be:

the name of the virtual server to redirect the connection to.?

Anyway I would really appreciate any example iRule that can pass traffic from one VS to another using specified IP and port. Example flow:

client -> proxyVS (proxy here is IP:port set in client browser, on BIGIP it can be any type of VS, not necessarily with explicit forward HTTP profile assigned), for example:

10.24.17.120:41234 -> 10.24.17.15:4141 (target server in proxy request 178.33.250.62:80)

proxyVS -> FirewallVS (for example Forwarding (IP) type with Destination set to 0.0.0.0/0)

10.24.17.120:41234 -> 178.33.250.62:80

FirewallVS -> target server (if AFM policy allows it based on src IP:port and dst IP:port)

192.168.75.242:41234 (SNATpool used) -> 178.33.250.62:80

The main issue in above flow is that traffic in step proxyVS -> FirewallVS is always passed like that:

10.24.17.120:41234 -> 10.24.17.15:4141

and of course connection is failing 😞

Hope it make any sense now...

Piotr

Forum Discussion

Local Traffic Policy and forward to virtual not working

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Can an i-rule redirect all traffic hitting a Forwarding IP vserver to a standard Vserver

Logging TLS traffic less than TLSv1.2

Need help - Configure forwarding proxy chain

Traffic Shaping and Atlassian Jira

Floating IPs on new traffic group members

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS