For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_G__134358's avatar
Tom_G__134358
Icon for Nimbostratus rankNimbostratus
Oct 16, 2013

Modifying GTM DNS response based on source IP - use translation field in virtual server definition

Hi,

 

I have the following setup :

 

GTM and LTM in internal DMZ. (private IP scheme)

 

GTM is configured with virtual servers defined as 1.1.1.100 (public IP) with translation field containing the actuel VS IP address on the LTM (10.10.10.100).

 

public access works fine since GTM replies with the public IP, and monitors the VS via the LTM.

 

However, when internal users access the site, I want them to access directly the private IP. Thus GTM should reply with the "translation field IP address" rather than the external IP address.

 

I tried Hamish Marson's script for that purpose (https://devcentral.f5.com/wiki/iRules.GTM-Translation.ashx), but Hamish's script uses datagroups to match the real and translated IP address.

 

I don't want to use this mechanism because it requires manual entry into the datagroup, which will only be possible using TMSH or irules Editor and I'd like to avoid using these tools to provision a new service.

 

So I tried developping my own script, based on Hamish, but I'm having a hard time getting to the virtual servers objects in order to match the IP in the DNS response to that of the virtual server.

 

I tried pools -list to access the pools, but it tells me that it's an undefined procedure (which probably means that the pools command is not usable in the context of a DNS Response event).

 

The DNS response contains the public IP and the name associated to the WIP, so I should be able to go through the following tree to gather this information : match name to Wide IP => lookup pools => lookup VS members of the pools => match IP to "IP address" field => return translation field in the same VS.

 

I know I could do it using a second WideIP for internal access, associated with different pools and different VS, but that means duplicating all entries which is a cumbersome provisioning process.

 

Does anybody have an idea how to access the VS definitions to get the information I need ?

 

Thanks !

 

Tom

 

application delivery
devops
iRules

4 Replies

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 16, 2013

    Wild guess, write your iRule under Local Traffic, if it is not already, and apply it the virtual servers there?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 16, 2013

    As Hamish relates in this post:

    https://devcentral.f5.com/questions/gtm-private-ip-versus-public-ip-in-gtm-dns-answers

    "The translation address is NOT actually for the GTM to resolve addresses to. It's actually the IP address the GTM will 'see' the remote VS as when/if it's NAT'ed between the GTM and the LTM."

    To that end, since translation address isn't really an option, you have a few alternatives. The first of course is Hamish's iRule/data group solution. A second alternative is perhaps the following:

    1. Under the respective LTM server object, create your virtual server instances manually and create TWO for each WIP. For the example iRule below, I've created virtual servers with the "_ext" and "_int" extension. Example:

      test_vs_int
test-vs_ext

    2. Add both virtual server instances to the pool.

    3. Create an address-based data group that defines your internal address space.

    4. Apply an iRule like the following: 

      when DNS_REQUEST {
    set server [lindex [lindex [members -list [LB::server pool]] 0] 1]
    set vs [string map {"_ext" "" "_int" ""} [lindex [lindex [members -list [LB::server pool]] 0] 2]]

    if { [class match [IP::client_addr] equals private_net_test] } {
        pool test_pool member "$server ${vs}_int"
    } else {
        pool test_pool member "$server ${vs}_ext"
    }
}

    The output of [members -list [LB::server pool]] will be a list of lists. Example:

    {/Common/test_pool /Common/ltm1 test_vs_ext} {/Common/test_pool /Common/ltm1 test_vs_int}

    I need the LTM server object name (ie. "/Common/ltm1"), and a virtual server name without the "_ext" or "_int" extension (ie. "test_vs"). Then, if the client is coming from the defined internal network, I'll attach the "$server ${vs}_int" pool member, otherwise the "$server ${vs}_ext" pool member.

    Admittedly this option doesn't account for availability, but it is perhaps a place to start.

  • Tom_G__134358's avatar
    Tom_G__134358
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2013

    Thanks Kevin. that would work.

     

    I could even create a second pool and apply your logic to pools instead of members. However, it defeats my purpose which was to avoid duplicating the config for the external vs internal IP.

     

    If I have to recreate two copies of VS and even two pools, I might as well create two Wide IPs and not use any iRule at all.

     

    It sounds weird to me that GTM does not support this "out of the box" since it sounds like a pretty common scenario. I've searched dev central and found tons of posts trying to solve this issue or similar issues, but to no avail.... sad.

     

    The translation field was a good fit to document the internal IP but if we can't access its value from the iRule... it won't work

     

    Thanks for your help anyways.

     

    Regards,

     

    Tom

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Oct 16, 2013
      At best you'd only have to create two copies of the VS and add both to the pool.