selective forwarding VS with IP and Port filtering

Question

Hi,&nbsp;
I have a setup with a F5 ltm behind a firewall. The ltm connects two IP networks.&nbsp;
                                 &nbsp;
                                      firewall &nbsp;
                                           |&nbsp;
                                         ltm&nbsp;
                                       /       \&nbsp;
                                  net1     net2&nbsp;

&nbsp;
&nbsp;
The customer wants to control all traffic between these two networks (net1 and net2) via the firewall except some high bandwidth connections which should be directly routed by the F5.&nbsp;
My current solution is a forwarding network virtual server for 0.0.0.0 with next hop pool set to the firewall.&nbsp;
In addition I'Ve configured a lot of more precise virtual servers (IP+Port) which accept those connections that should not be filtered by the firewall. &nbsp;
This solution is working fine, it's just not manageable as the number of these Virtual servers is growing too much.&nbsp;

&nbsp;
&nbsp;
So I look for a more scalable solution to handle the same functionality within a nice irule without endless if/else statements.&nbsp;
My idea was to use a data group in a way to check for destination IP and port and if it matches to just forward the traffic.&nbsp;
Is something like that possible?&nbsp;
Any better ideas?&nbsp;

&nbsp;
&nbsp;

hooleylist · Answer

Hi Sebastian,
You could create a forwarding network virtual server and then add the destination hosts/subnets which should be sent to the firewall to a datagroup.  In CLIENT_ACCEPTED, you could check if [IP::local_addr] is in the datagroup using 'class match' for v10 or matchclass for v9.  Requests for the firewall would be sent to the firewall pool.  All others would be sent to the gateway for the other network.  Or you could reverse the logic for matching and have the hosts/subnets which do not need to go through the firewall to the datagroup. 
 Here's a 10.x example: 
 when CLIENT_ACCEPTED {

if {[class match [IP::local_addr] equals firewall_nets_class]}{

pool firewall_pool
   }
    Default action for non-matching destination hosts is to use the virtual server's default pool
}
 
 Aaron

sebastian_meth · Answer

Hi Aaron, 
&nbsp;  
&nbsp; thx for your quick reply, unfortunately it won't solve my problem yet, here's why: 
&nbsp;  
&nbsp; - default route is pointing to the firewall; therefore I cannot gather those destinations in a class/data group 
&nbsp; - I need to access net1 from net2 and vice versa for certain destination IPs AND Ports from net1 or net2, so I need to check for destination IP and Port in the iRule/class match command. Is that possible? All the other connections should go via the firewall.  
&nbsp;  
&nbsp; Btw: I'm running on V10.2

Forum Discussion

selective forwarding VS with IP and Port filtering

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

X-Forwarded-For Log Filter for Windows Servers

IIS X-Forward-For ISAPI Filter

SMTP filter and forward proxy

Generic Forward Proxy with Websense Filtering iApp

Pool selection based on X-Forwarded-For header

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS