Forum Discussion

b_1's avatar
b_1
Icon for Altocumulus rankAltocumulus
Aug 13, 2019

Sending traffic to virtual server based on client IP

I'm looking to configure an irule that will direct traffic to one of two virtual servers I have under a WideIP entry. Basically when a request comes in if it's an IP address of 1.1.1.1 I want to send...
application delivery
BIG-IP DNS
iRules
  • Dario_Garrido's avatar
    Dario_Garrido
    Aug 13, 2019

    Hello.

     

    You can do something like these examples

    https://clouddocs.f5.com/api/irules/DNS_REQUEST.html

     

    Also you can experimenting using split-DNS

    https://support.f5.com/csp/article/K14421

     

    KR,

    Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for MVP rankMVP

Hello.

 

You can do something like these examples

https://clouddocs.f5.com/api/irules/DNS_REQUEST.html

 

Also you can experimenting using split-DNS

https://support.f5.com/csp/article/K14421

 

KR,

Dario.

b_1's avatar
b_1
Icon for Altocumulus rankAltocumulus
Aug 15, 2019

So i've setup a split DNS iRule however for some reason, the client IP is not being matched to the IP entries in my datagroup. I've created two datagroups to see if the name was an issue but that didnt resolve the problem. If i switch the configuration to a known working datagroup, split DNS works perfectly. Any ideas? pulling my hair out.

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Aug 15, 2019

    Could you share you iRule and datagroup configuration?

     

    KR,

    Dario.

  • b_1's avatar
    b_1
    Icon for Altocumulus rankAltocumulus
    Aug 16, 2019
    when DNS_REQUEST {
    if { [class match [IP::client_addr] equals datagroupname] } {
        pool practice-dnspool
    }
}
  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Aug 16, 2019

    Lets try basic troubleshooting...

    when DNS_REQUEST {
    log local0. "I'm receiving a new dns request and my client IP is [IP::client_addr]"
    if { [class match [IP::client_addr] equals datagroupname] } {
		log local0. "I'm inside and my client IP is [IP::client_addr]"
        pool practice-dnspool
    }
}

    If no messages are shown in the second step, you should check the datagroup structure. Share this command output.

    tmsh list ltm data-group internal datagroupname

    KR,

    Dario.

  • b_1's avatar
    b_1
    Icon for Altocumulus rankAltocumulus
    Aug 16, 2019

    Hmm interesting - so the source IP is coming from our Authoritative DNS server - which makes sense now that I think about it. How could I get around that and/or get the value of the client IP making the actual DNS request? We've done XFF in the past with web applications but I didn't think that would be passed in a DNS packet.

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Aug 17, 2019

    See this

    https://devcentral.f5.com/s/articles/using-client-subnet-in-dns-requests-31948

    BTW, authoritative servers shouldn't be sending queries but responding them (cache servers should be doing that)

    REF - https://www.dnsknowledge.com/whatis/authoritative-name-server/

    Please, if my answer was helpful, don't forget to mark it as 'the best' or give me some upvotes. Thanks.

    KR,

    Dario.