For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GeoffG_213492's avatar
GeoffG_213492
Icon for Nimbostratus rankNimbostratus
Jun 06, 2017

Virtual Server and DNAT to External Node

Hi Everyone,

I need to work out how I can setup a Virtual Server to basically accept traffic in and pass on to an external FQDN node address. I am running Version 11.5.4 which doesn't allow FQDN's hence this reason for this iRule.

I just want to pass the traffic through to the Destination as is without any SSL Offloading or Bridging. The reason I need to do this the clients have to be funnelled through the F5 and their destination is the FQDN. This doesn't seem to be working and I get the following output which I think shows something is going wrong when the node command is invoked as can be seen in the server connected log messages. We have multiple routing domains with %1 being the domain this is all happening in and I don't SNAT here because this will be done on the perimeter firewall.

The output in the log is as follows: : %1 has been successfully resolved : Setting Node %1 as the VIP member in which to forward traffic to : Node set to %1 "SSL connection from 10.100.1.50%1:54095. Mapped to 10.100.1.50%1:54095 -> 10.1.1.100%1:443

I have the following configured

    ltm virtual vs-extnode {
    destination 10.1.1.100%1:https
    ip-protocol tcp
    mask 255.255.255.255
    partition S-Dev
    persist {
        /Common/source_addr {
            default yes
        }
    }
    profiles {
        /Common/fastL4 { }
    }
    rules {
        rule-externalnode
    }
    source 0.0.0.0%1/0
    translate-address disabled
    translate-port disabled
    vs-index 26


    when CLIENT_ACCEPTED {
   set host "abc.company.com"
   set dest [lindex [RESOLV::lookup @8.8.8.8 -a $host] 0]
   append dest "%1"
   log local0. "$dest has been successfully resolved"
    if { $dest ne "" } {
        log local0. "Setting Node $dest as the VIP member in which to forward traffic to"
        node $dest 443
   } else {
        log local0. "No response from DNS request"
        reject
  }
}

when SERVER_CONNECTED {
  log local0. "SSL connection from [IP::client_addr]:[TCP::client_port]. \
    Mapped to [serverside {IP::local_addr}]:[serverside {TCP::local_port}] \
    -> [IP::server_addr]:[serverside {TCP::remote_port}]"
}

If anyone has any ideas it would be much appreciated. Likely there is something I am just missing....

application delivery
iRules
LTM

1 Reply

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 06, 2017

    Hi,

     

    But what is exact issue you experiencing? Logs looks fine, except it's hard to judge if IP of node set command is correct or not.

     

    log local0. "$dest has been successfully resolved" - placement of this log message seems to be a bit strange - before actual test if DNS resolution returned anything.

     

    Other issue I suspect is that you are testing if $dest is not empty string after appending %1 to result of your DNS query - so your test will always return true, even if DNS resolution will fail.

     

    Log entry "Setting Node %1 as the VIP member in which to forward traffic to : Node set to %1" suggests that DNS resolution failed.

     

    So try to move append inside if checking if DNS response returned anything and then retest results.

     

    Piotr