For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JD2001_41834's avatar
JD2001_41834
Icon for Nimbostratus rankNimbostratus
Jun 28, 2007

Source Base Routing

I was wondering if anyone has ever done source base routing with an iRule? I have 2 separate frontside networks and 2 separate backside networks and we are trying to keep all the traffic separate. So I need to have a default gateway for 1 subnet and a different default gateway for another subnet. Like below.

 

 

VLAN Source Destination Gateway

 

136 10.223.34.X ANY 10.223.32.1

 

137 10.223.53.X ANY 10.223.36.1

 

 

Any Help would be greatly appreciated.

 

Thanks,
application delivery
dev
devops
iRules

4 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 28, 2007
    define a pool for your two gateways, say gw-pool, then create a 0.0.0.0/0 virtual server applied to your internal vlans only and apply this rule to the vip:

    
when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr]/24 equals 10.223.34.0] } {
    pool gw-pool member 10.223.32.1
  } elseif { [IP::addr [IP::client_addr]/24 equals 10.236.36.0] } {
      pool gw-pool member 10.223.36.1
  } else {
      Your other conditions, if necessary
  }
}

    You could use the node command instead of the pool, but then you don't get the benefit of your gateway being monitored (assuming you apply one in your pool definition)
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Jun 28, 2007
    You don't really have to do this with a rule, just create 2 gateway pools, one with each gateway address, and then create two wildcard VIPs (0.0.0.0:0), one enabled only on each internal VLAN (you'll have to use Performance L4 to enable All Protocols), and point those VIP's to their respective gateway pool. You'll probably have to have inbound forwarders to each internal network separately as well.

     

     

    Then you won't have to evaluate source address for every packet.

     

     

    Denny
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 29, 2007
    Good point, why complicate things unless you have too, right?

     

     

    You only need the inbound forwarders if you have auto-lasthop disabled.
  • zafer's avatar
    zafer
    Icon for Nimbostratus rankNimbostratus
    Jun 01, 2009
    Hello

     

     

    i have question about sending traffic somewhere

     

     

    here is my physical topology

     

     

     

    Router --- Firewall -- F5 ----Switch-- (servers and client)

     

     

     

     

    F5 has 2 vlan

     

     

    server vlan 192.168.254.0/24

     

    firewall vlan 10.10.0.0/16

     

     

    Cisco switch has private vlan feafure and servers can not communicate with other servers even all those servers in the same subnet.

     

    cisco switch feature support send traffic to f5 (if the same network servers try communicate each other)

     

     

    at this point;

     

    i want send all traffic to the Firewall then firewall will block or permit from policy. after the prolicy they can communicate each other if the firewall accept.

     

    The problem is servers, clients and vips on same subnet

     

    (192.168.254.0/24)

     

     

    any idea?

     

     

    thanks

     

     

    zafer