For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus
May 07, 2014

Redirect traffic to one VS to another

I've been asked to redirect access to a VS to another one. The problem here is that the target VS is an HTTPS VS and the BIG-IP doesn't open the SSL so I can't configure an HTTP 301 redirect.   I'...
application delivery
iptables
LTM
redirect
Angel_Lopez_116's avatar
Angel_Lopez_116
Icon for Altostratus rankAltostratus
May 07, 2014

Hi,

 

Well, I've tried the iptables approach and it didn't work as expected. I have this setup:

 

ltm virtual vs_test1 { destination 10.30.205.251:http ip-protocol tcp mask 255.255.255.255 pool pruebaszbx1 profiles { tcp { } } source 0.0.0.0/0 vlans { VLAN40 } vlans-enabled } ltm virtual vs_test2 { destination 10.30.205.252:http ip-protocol tcp mask 255.255.255.255 pool www1mobi profiles { tcp { } } source 0.0.0.0/0 vlans { VLAN40 } vlans-enabled }

 

What I want is to forward the client connections to 10.30.205.251:http to the other VS 10.30.205.252:http

 

In my production environment this scenario is with HTTPS not HTTP, and the SSL ends in the web server not in the BIG-IP so I can't make and HTTP 301 redirect.

 

I'm exploring how I could do this in the BIG-IP.

 

First try was the iptables rule... it didn't work :( connections to vs_test1 ended there and weren't redirected to vs_test2

 

Second try was the NAT as suggested, something like this:

 

ltm nat dnat_test { inherited-traffic-group true originating-address 10.30.205.252 traffic-group traffic-group-1 translation-address 10.30.205.251 vlans { VLAN40 } vlans-enabled }

 

But it didn't work neither... same result as with the iptables. Client was served by vs_test1 and not vs_test2... no destination nat I think:

 

12:24:37.830172 IP 10.30.173.102.60278 > 10.30.205.251.80: S 1891458294:1891458294(0) win 8192 12:24:37.830229 IP 10.30.205.251.80 > 10.30.173.102.60278: S 693237238:693237238(0) ack 1891458295 win 4380 12:24:37.830376 IP 10.30.173.102.60278 > 10.30.205.251.80: . ack 1 win 16425 12:24:45.560579 IP 10.30.173.102.60278 > 10.30.205.251.80: P 1:2(1) ack 1 win 16425

 

I'd expect to see the destination address (10.30.205.251) translated to (10.30.205.252)... I guess I'm getting this wrong at some point... :(

 

Regarding the "layer virtual server", do you mean a forwarding layer 2 or ip virtual server? I don't see how I'd configure a IP forwarding VS for resolving this scenario as the client would try to connect to 10.30.205.251 and I want to redirect that connection to 10.30.205.252. If I configure a forwarding VS... how it'd be?

 

I know that this scenario is a bit weird, just exploring all the posibilities...

 

Thanks!