Forum Discussion
NimbostratusTo allow TCP Port Range
We need your suggestion here:
Here is the traffic flow of the customer accessing our web-based solution :
Customer IPSEC VPN > JDA IPSEC VPN > JDA F5:
Till now they got one service running on application member-server:10.1.1.1 with listening port 8880.
So, we got HTTP and HTTPS Virtual-server with one pool with member-server 10.1.1.1:8880. Now as per the new requirement, F5 needs to understand TCP: port range starting from 7000-7999.
Currently Virtual-Server Type is Standard, what changes we can do at pool level and Virtual-Server level so that it will allow TCP port range 7000-7999 too alongwith the existing running listening port 8880.
Kindly guide.
Thanks and Regards PZ
5 Replies
- nitass
Employee
Now as per the new requirement, F5 needs to understand TCP: port range starting from 7000-7999.
you can set virtual server listening on any port and then use irule to drop or reject traffic destined to port outside the range.
TCP::local_port
https://devcentral.f5.com/wiki/iRules.tcp__local_port.ashx 
Parveez_70209Hi Nitass,
Let's say If I use Standard Type Virtual-Server with listening port 0 and also into the pool, if I set listening port as 0 against the member-server, will it work for any port ?
Thanks and Regards Parveez
- nitass
Let's say If I use Standard Type Virtual-Server with listening port 0 and also into the pool, if I set listening port as 0 against the member-server, will it work for any port ?
standard virtual server type is not mandatory. you can also use performance layer 4 virtual server type.
yes, you can set pool member on any port. there is translate port setting under virtual server configuration. when it is disabled, traffic will be sent to pool member on the same destination port (destination port is not changed).
- Parveez_70209
Ok Great. Summarizing the points and the Irule, kindly cross-check whether I am correct here:
Keeping in mind that traffic is bi-directional, Client will reach us and fetch the data from the application-servers.
Planning the below:
- Disable HTTP and HTTPS Virtual-Server.
- Modify anyone of the existing Virtual-Server as Standard Type with Listening port 0.
- And also go back to Pool and modify the listening port of the application-member-server as 0.
- Incase point 3 is correct, kindly let us know what will be the correct monitor to set the same.
- Or else, if we don’t do point number 3 and keep the application-servers listening port as existing 8880 not 0, and instead if we need to disable "Port Translation" in the Virtual Server, will it be same ?
- If all the other points are valid, and if our intention is to allow ports 7000-7999,8880 which is currently running into the application-server, than I think the below Irule should work ?
- If the below Irule is good, but whether it will be CLIENT_ACCEPED or SERVER_ACCEPTED.
when CLIENT_ACCEPTED {
Check if requested port is outside 7000 - 7999, 8880 if { ([TCP::local_port] > 7000 and [TCP::local_port] < 8000) or [TCP::local_port] == 8880 or [TCP::local_port] == 1521 }{ Accept request } }Thanks and Regards PZ
