Forum Discussion

Tony2020's avatar
Tony2020
Icon for Nimbostratus rankNimbostratus
May 11, 2018

Redirect based on source IP to an external IP

Hi All,

Question as to the best way to do this...either using a LTM or GTM. We are migrating a service from internally to a SAS based solution and we want to redirect servers in a few internal subnets if they go to the LTM VIP to an external SAS IP/location not hosted on the LTM.

We have a total of 4 VIPS, each listening to different ports.

Internal VIP: 1.1.1.1 port 22 Internal VIP: 1.1.1.1 port 21 Internal VIP: 1.1.1.1 port 443 Internal VIP: 1.1.1.1 port 8443

Objectives:

if you come in to this VIP with source address of 172.16.10.0/24 and 172.16.11.0/24, you will get redirected to the external IP with matching ports...otherwise if you are coming in from the 10.0.0.0/8 network or anything not matching the data group containing the above two subnets, you can connect to the local LTM VIP 1.1.1.1[port 21/22/443/8443] on as normal. We only want to send connection request to the external SAS if you come from the two 172.16.10 and .11 subnets.

Internal IP: 2.2.2.2 port 22 Internal IP: 2.2.2.2 port 21 Internal IP: 2.2.2.2 port 443 Internal IP: 2.2.2.2 port 8443

Also in this irule to redirect to an external IP for non-https redirect, do you need to "proxy" this traffic through the F5 (i.e. need route incoming connections to get to 2.2.2.2 for port 21/22). Note that once connections coming from the 172.16.10.x and 172.16.11.x hits the LTM, the should connect directly to 2.2.2.2 and therefore not need the F5 further...can you do this or

Would a GTM be a better solution for all of this. I rather not use the GTM and do all of this on the LTM if possible....

when HTTP_REQUEST {
    if { [class match [IP::client_addr] equals REDIRECT-IF-SUBNET-IS-IN-THIS-DG] } {
     HTTP::redirect "https://2.2.2.2" 
     HTTP::redirect "https://2.2.2.2:8443" 
     ...what is the format to also redirect to 2.2.2.2:21
     ...and redirect to 2.2.2.2:22
     }
     else 
     pool MY-INTERNAL-VIP-FOR-ALL-OTHERS
      }
    }
}

Thanks all!

application delivery
BIG-IP
devops
iRules
  • jurgenvdmark_14's avatar
    jurgenvdmark_14
    Icon for Nimbostratus rankNimbostratus
    May 16, 2018

    First of all redirecting only works for http(s) traffic. You can't redirect traffic for non http(s) traffic, because it isn't part of the protocol. So there is no way to let the client know that it should connect to a different host for non http(s) traffic.

    For http OR https you can simply use a http profile which redirects the traffic:

    ltm profile http redirect_to_sas {
    app-service none
    fallback-host http://2.2.2.2
}

    In a similar way you can make a http profile for redirect for https and redirect for https port 8443.

    For the SSH connection you can use the node statement in an iRule (see: https://devcentral.f5.com/wiki/iRules.node.ashx)

    I hope this helps

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    May 16, 2018

    Jurgen,

     

    You can't redirect for ftp and SSH.

     

    You could create a wildcard 1.1.1.1:* vs with pool member 2.2.2.2:* , port translation disabled and with source: 172.16.10.0/23

     

    And your normal virtual servers for https/8443/21/22 without source matching.

     

    The wildcard virtual server will forward traffic coming from the two subnets to your sas provider.

     

    Cheers,

     

    Kees

     

  • Abdessamad1's avatar
    Abdessamad1
    Icon for Cirrostratus rankCirrostratus
    May 16, 2018

    Redirection would work only for HTTP(S)

     

    For the other traffic types, you can either proxy the traffic via your LTM virtual server (by configuring the sas as pool member) or use DNS (GTM) to send them directly to the sas.