For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marc_zw_57558's avatar
Marc_zw_57558
Icon for Nimbostratus rankNimbostratus
Jun 11, 2008

Redirect Port 80 to Port 81 while using Layer4 Virtual Server

Hi there,

 

 

Am very new to iRules and am trying to find out if its possible and if so how I can redirect traffic coming in on port 80 to port 81 using a Performance (Layer4) Virtual Server without resorting to SNAT.

 

 

I have a VS with a VIP of 172.25.80.153:80 and I need traffic to go to the pool nodes on 172.25.80.28:81. How ever, Layer 4 VS do not perform address or port translation by default. Is it possible to perform this by using an iRule?

 

 

Thanks

 

 

Marc
application delivery
dev
devops
iRules

7 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 11, 2008
    The LTM supports this with the fastL4 profile without Irules. Just set your vip up on port 80 and your referenced pools up on port 81, the LTM will do the translation for you: 

     
 pool test-pool { 
    monitor all tcp 
    members 
       10.10.10.10:81 
       10.10.10.20:81 
 } 
 virtual test-vip { 
    pool test-pool 
    destination 10.10.8.10:80 
    ip protocol tcp 
    vlans public enable 
    profiles fastL4 
 }
  • Marc_zw_57558's avatar
    Marc_zw_57558
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2008
    I have the virtual server setup as below.

     

     

    pool rdb-ws-pool81 {

     

    monitor all http_webservice

     

    member 172.25.80.27:81

     

    member 172.25.80.28:81

     

    }

     

     

    virtual rdb-ws-vs02 {

     

    destination 172.25.80.153:http

     

    ip protocol tcp

     

    translate address disable

     

    translate service disable

     

    profile fastL4

     

    pool rdb-ws-pool81

     

    }

     

     

    For some reason, traffic being passed to the nodes is hitting port 80 and not port 81.

     

     

    Any ideas?
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 11, 2008
    That's becuase you have translation disabled, any reason why?
  • Marc_zw_57558's avatar
    Marc_zw_57558
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2008
    It was setup following the instructions in the Configuration Guide. It is using nPath routing which says to disable both Address and Port Translation.

     

     

    I did enable Port Translation but this stopped the VS from responding altogether.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 11, 2008
    nPath routing is a completely different animal.

     

     

    How will the tcp session ever establish? You are hitting IP:80, but hearing back from IP:81, which will be reset. This is why translation must be disabled for nPath routing, which means that your virtual must support the servers real port. I can't think of any way around this other than tossing nPath routing, but then, I'm just a caveman...
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jun 12, 2008
    You need to drop using nPath... nPath requires that the backend is listening on exactly the same IP & Port as the VS...

     

     

    Just get rid of the translate disable for IP & Port and it should be fine (Assuming your routing is setup such that the return traffic can pass back through the F5).

     

     

    If your default network routing isn't setup that way, you could try using LART if using Linux... Or Policy routing on your network routers...

     

     

    H