Forum Discussion
Philippe_CLOUP
Employee
Employeelooking inside persistence table, through different Virtual Servers
I have created an irule to store, using universal persistence, the 2 things:
- the Client-IP adress connected to the VS.
- the Mac adress of the "lasthop" that sent the request t...
The config shown is the inside pair of a firewall sandwich.
The requirement here is to force server-initiated outbound connections to traverse the same firewall as inbound connections initiated by the same client.
I think the following approach would work:
On the external pair, persist inbound traffic by source IP.
On the internal pair, first create this class cross-referencing server MAC to IP address. Class type is "string". Insert the appropriate MAC address for each internal firewall IP (must match MAC address format as returned by LINK::lasthop):
class fw_MAC2IP {
00:00:00:00:00:00 192.168.100.200
00:00:00:00:00:00 192.168.100.201
}On the internal pair, persist inbound & outbound using the following iRule applied to both VS:
--- For inbound connections, it enforces simple persistence and saves lasthop mac by src IP for reciprocal traffic.
--- For outbound connections, it looks up dest IP in session table to get fw MAC, then looks up fw MAC in class to get fw IP.
rule bidirectional_firewall_persistence {
when RULE_INIT {
set ::timeout 86400
}
when CLIENT_ACCEPTED {
set server ""
set origin_vlan [LINK::vlan_id]
log local0. "vlan ID: $origin_vlan client: [IP::remote_addr]"
if {$origin_vlan == "4094"}{
for client originated connections, use server pool & simple persistence
set session_key [IP::remote_addr]
log local0. "client connecting from vlan $origin_vlan - session_key = >$session_key<"
select inbound pool by name & apply simple persistence
pool RTR-OUT
persist source_addr 86400
create/update session table entry for reciprocal traffic
session add uie {$session_key any virtual} [LINK::lasthop] $::timeout
log local0. "RTR-OUT pool selected, source_addr persistence & session table entry added for $session_key"
} else {
for server originated conns, look up nexthop MAC for that dest IP in session table
set session_key [IP::local_addr]
log local0. "server connecting from vlan $origin_vlan - session_key = >$session_key<"
set fwMAC [session lookup uie {$session_key any virtual}]
log local0. "fwMAC found: >$fwMAC< - session_key = >$session_key<"
if {$fwMAC != ""}{
If session table entry already exists, refresh to update timeout
session add uie {$session_key any virtual} $fwMAC $::timeout
log local0. "session table entry refreshed - session_key = >$session_key<"
then look up fw IP address in class by MAC
set fwIP [findclass $fwMAC $::fw_MAC2IP " "]
log local0. "fw IP >$fwIP< found for MAC $fwMAC - session_key = >$session_key<"
if {$fwIP != ""}{
if fw IP address is found in the class for this MAC, directly select fw node
log local0. "directly selecting fw node $fwIP - session_key = >$session_key<"
node $fwIP 0
} else {
if no fw IP address was found in the class for this MAC, log an error
This should never happen if class list contains the correct data in the correct format
log local0. "No IP address found for MAC $fwMAC Check class list for proper entries."
log local0. "LB'ing outbound conn to rtr_f5 pool - session_key = >$session_key<"
select outbound pool by name
pool rtr_f5
}
} else {
if no session table entry found, load balance the connection
log local0. "No session table entry for $session_key. LB'ing outbound conn to rtr_f5 pool."
select outbound pool by name
pool rtr_f5
}
}
}
when LB_FAILED {
detach and choose a new server if the selected server fails to respond.
LB::detach
LB::reselect
}
}HTH
/deb
