For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jake_macabuag_4's avatar
jake_macabuag_4
Icon for Nimbostratus rankNimbostratus
Nov 21, 2012

Redirect to DMZ instead to Internet for a specific website

Hi Guys,

 

I a thinking of creating an iRule that would direct the user traffic to DMZ instead of going to the internet for a specific website (company portal). LTM is configured with 3 VLANS (dmz, internet and user)

 

 

when HTTP_REQUEST {

 

company portal is accessible both public and local

 

if { [HTTP::host] eq "www.portal.com" } {

 

pool DMZ_Pool }

 

if not, traffic will go to the internet via default pool of VS

 

}

 

I haven't tried this but would there be an issue since DNS will see the website address as public ip but it will be routed to local server?

 

 

Any suggestion to do this? I have seen something like DNS_REQUEST but not sure of to use it

 

thanks

 

 

 

 

 

application delivery
dev
devops
iRules

7 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2012
    OK, so is this internal users going outbound? The clients resolve the IP via DNS (is the IP a public IP?) and the traffic hits the F5 on the user VLAN yes?

     

     

    What's the Virtual Server setup?

     

     

  • jake_macabuag_4's avatar
    jake_macabuag_4
    Icon for Nimbostratus rankNimbostratus
    Nov 21, 2012

    yes, internal users going outbound hitting the F5. the DNS is public ip since users are accessing it also on the outside. The reason for doing this so that LAN users don't have to use a different URL whenever they access the site, whether inside or outside the office. They will just use one URL and it will be F5 who does the controlling

     

     

    vs_outbound something like 0.0.0.0:any

     

    pool default_gateway_pool (going to internet)

     

    vlan listening on both user_vlan and dmz_vlan

     

    snat automap

     

     

     

     

    vs_portal 121.x.x.x:80

     

    pool webportal (going to DMZ)

     

     

     

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2012
    OK, thanks. The iRule won't work if the Virtual Server type is anything other than Standard, which I suspect yours is not, it'll also require a HTTP Profile to be assigned.

     

     

    You have a couple of options I think;

     

    1) Change your internal DNS (assuming it's separate to the external) to point to a new Virtual Server with some sort of valid internal address, that points to the DMZ servers

     

    2) Create a separate Virtual Server using the public IP, enable it only on the user VLAN, assign your pool of DMZ servers. I know this sounds like it won't but it will work. VS IPs do not need to be tied to Self IPs/physical interfaces in any way, as long as the client requests are routed to the F5 (rather than the client ARPing).
  • jake_macabuag_4's avatar
    jake_macabuag_4
    Icon for Nimbostratus rankNimbostratus
    Nov 21, 2012
    i have additional virtual server 0.0.0.0:80 (standard) using http profile. i map the irule but havent tested it yet.

     

     

    regarding your suggestion 2. I have been thinking about that and thanks for clarifying that it not be tied to the subnet of selfip/vlan. I'll try this one

     

     

    many thanks
  • jake_macabuag_4's avatar
    jake_macabuag_4
    Icon for Nimbostratus rankNimbostratus
    Nov 21, 2012
    so using this will work, i supposed

     

     

    vs_portal 121.x.x.x:80

     

    pool webportal (going to DMZ)

     

    listening to internet and user vlan