For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Simon_Gregory_1's avatar
Simon_Gregory_1
Icon for Nimbostratus rankNimbostratus
Jan 22, 2007

Redirect Help (but NOT over HTTP) !

Hi,

 

 

I have two LTM's on two physical sites (site A & B). I intend to install an iRule on the LTM (site A) to direct specific traffic originating from a specific source. This traffic will be directed to a Virtual Server installed on a different LTM (on site B). The application is not using the HTTP/S protocol.

 

 

when CLIENT_ACCEPTED {

 

Checks to see if remote_addr = any in the 'source_ip' class

 

 

if { [matchclass [IP::remote_addr] equals $::source_ip] } {

 

Route the connection to the remote Virtual Server (10.x.x.x:41475)

 

which is managed by a different remote LTM

 

???????????????????? 10.x.x.x:41475

 

}

 

else {

 

Send the connection to the local Pool on the local LTM

 

pool local_pool

 

}

 

}

 

 

Thanks, Simon (UK)
application delivery
dev
devops
iRules

3 Replies

  • AaronJB's avatar
    AaronJB
    Ret. Employee
    Jan 22, 2007
    My initial thoughts here are that the easiest way to accomplish this is to create a second pool on LTM A, which contains a single entry - the VIP IP on LTM B.

     

     

    Then in your iRule you can simply select the other pool.

     

     

    The downside of this is that you will be 'double processing' all the rerouted requests, as they will be passing through both LTM A, and LTM B (it also assumes that LTM A can access LTM B).

     

     

     

    Otherwise being able to redirect traffic in the same way you can with HTTP would rely on the particular protocol you are passing having some kind of 'Please see this resource instead:' message type that you could reply to the original request with.

     

     

    If that is the case then you could construct your own response to the message with the TCP::respond command - let me know if you are looking to achieve that (and what the message structure is for the protocol you are using, if you need an explicit example).

     

     

    --

     

    Aaron
  • Simon_Gregory_1's avatar
    Simon_Gregory_1
    Icon for Nimbostratus rankNimbostratus
    Jan 22, 2007
    Hi Aaron,

     

     

    Thanks for the response.

     

     

    I had not thought of creating a new pool. The solution is simpler than I thought.

     

     

    Regards, Simon
  • Mike_Graston_10's avatar
    Mike_Graston_10
    Icon for Nimbostratus rankNimbostratus
    Jan 22, 2007
    I had done something similar to this where as I needed to snat the incoming address so it would pass through the 1st F5. then the remote node/vip/IP would then route back through the original f5. Not sure of your Network topology but something to consider as you probably don't want an asymetric route.