Forum Discussion

Sebastian_Meth's avatar
Icon for Nimbostratus rankNimbostratus
Jun 22, 2011

selective forwarding VS with IP and Port filtering



I have a setup with a F5 ltm behind a firewall. The ltm connects two IP networks.









/ \


net1 net2




The customer wants to control all traffic between these two networks (net1 and net2) via the firewall except some high bandwidth connections which should be directly routed by the F5.


My current solution is a forwarding network virtual server for with next hop pool set to the firewall.


In addition I'Ve configured a lot of more precise virtual servers (IP+Port) which accept those connections that should not be filtered by the firewall.


This solution is working fine, it's just not manageable as the number of these Virtual servers is growing too much.




So I look for a more scalable solution to handle the same functionality within a nice irule without endless if/else statements.


My idea was to use a data group in a way to check for destination IP and port and if it matches to just forward the traffic.


Is something like that possible?


Any better ideas?






2 Replies

  • Hi Sebastian,

    You could create a forwarding network virtual server and then add the destination hosts/subnets which should be sent to the firewall to a datagroup. In CLIENT_ACCEPTED, you could check if [IP::local_addr] is in the datagroup using 'class match' for v10 or matchclass for v9. Requests for the firewall would be sent to the firewall pool. All others would be sent to the gateway for the other network. Or you could reverse the logic for matching and have the hosts/subnets which do not need to go through the firewall to the datagroup.

    Here's a 10.x example:

       if {[class match [IP::local_addr] equals firewall_nets_class]}{
          pool firewall_pool
        Default action for non-matching destination hosts is to use the virtual server's default pool

  • Hi Aaron,



    thx for your quick reply, unfortunately it won't solve my problem yet, here's why:



    - default route is pointing to the firewall; therefore I cannot gather those destinations in a class/data group


    - I need to access net1 from net2 and vice versa for certain destination IPs AND Ports from net1 or net2, so I need to check for destination IP and Port in the iRule/class match command. Is that possible? All the other connections should go via the firewall.



    Btw: I'm running on V10.2