Forum Discussion
NimbostratusQuestion about vLAN isolation iRule
I have a simple iRule as follows:
when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals x.x.x.x/xx] }{
Uncomment the line below to turn on logging.
log local0. "accees not allowed: [IP::local_addr]:[TCP::local_port] - reject traffic"
reject
} else {
snat using this source address
snatpool pool_1
log local0. "SNATed, [IP::local_addr]:[TCP::local_port] --> [IP::local_addr]:[TCP::local_port]"
}
}So idea above is if vLans you belong to a subnet you will NOT be able to talk other vLan, this rule does work but I dont know for some reason F5 is allowing ICMP pass through between vLANs but not if I try to do say telnet to port 3389 or 22 from vlAN Y to vLAN W it doesnt work (this is what I expect).
Does anyone know why ICMP is allowed through eventhough rule says to reject or ICMP require extra bit of code to be added.
Do not that this iRule is applied to a forwarding VS where is source is 0.0.0.0/0 and destination is also 0.0.0.0/0
5 Replies
- The_BhattmanPerhaps this article can help https://devcentral.f5.com/s/feed/0D51T00006i7V0fSAE -=Bhattman=-
- The_Bhattman
Perhaps this article can help
https://devcentral.f5.com/questions/block-icmp-for-virtual-serversas
-=Bhattman=-
mr_evil_116524I have tried that rule that doesnt work.
Any other ideas?
StephanMantheyNacreous
Can you prove by tcpdump the ICMP is passed through to the other VLAN?
Is it SNATed? Depending on S/W version there may be different behaviour for so called default SNATs.
Personally I try to avoid them and to use SNATpools or SNAT AutoMap in combination with virtual server configuration. What S/W version are you running?- mr_evil_116524
Hello All,
It appears this is a an issue with version 11.3.xx. I have upgraded to version 11.4.1 and I can see the iRULE is working as expect and it does not allow ICMP traffic flow from vLAN A to vLAN B
Thanks
