Forum Discussion
DarkSideOfTheQ_
Nimbostratus
NimbostratusVirtual Server multiple service ports
Hello,
I am new to F5 devices and load balancers in general, only having limited exposure to some Foundry devices until now. I am curious about what I've read and seen thus far about creating a virtual server and the ports it will allow connections on. Do I really need to create a new virtual server for each port that I want available or am I overlooking something and creating more work for myself?
Thanks,
DarkSide
35 Replies
hoolioCirrostratus
You can configure a VIP on port 0 (any port) and then use an iRule or IP filters to restrict which destination ports can be used. Here is an example iRule which drops requests outside of a range of ports:when CLIENT_ACCEPTED { Check if requested port is outside 1000 - 2000 if { [TCP::client_port] < 1000 or [TCP::client_port] > 2000}{ Drop request drop } }
Aaron- dennypayne
Employee
In general the LTM is default-deny device, so yes if you do not configure a virtual for each port you need then the traffic will be blocked. That being said, you can create virtuals and pools on port 0 (any port). That will allow all ports to communicate on that virtual.
The downside is that you have to create custom monitors for health checks on the pool, because the default monitors are set up to check whatever port the pool members are configured on. Since you can't health check port 0, you have to define a custom monitor that explicitly calls the port you need to check on the servers.
So if you only need 3 or 4 ports, I would recommend going ahead and configuring one vip per port, that way you can take advantage of the granularity to be able to tweak settings as you wish (and see separate statistics). If on the other hand you have an application that might open up 100 different ports, then I'd advise using a wildcard port 0 vip and creating a custom health monitor.
Denny 
DarkSideOfTheQ_Aaron - I am just begining to learn the iRules and have only created simple HTTP/HTTPS redirects thus far. Your example sounds interesting and I'll have to play around some.
Denny - I am indeed only concerned with a few ports, mostly HTTP, HTTPS, SSH, FTP for various hosts. The mention of the statistics, was not something I had thought about and with that in mind, can see the benefit of having the different virtuals setup.
I really appreciate the replies and am glad to see that there is a good community that I can turn to with what I am sure is just the first of many questions...after I RTFM of course. :-)- hoolioIf it's only a few ports and the protocol isn't the same, I agree with Denny that it's better to configure individual VIPs. As he suggested, this allows you to configure protocol-specific profiles and tweak the settings according to the protocol. The port range option is better if it's a lot of ports--particularly if it's the same protocol.
Aaron 
Josh_41258Sorry for the bump, but could someone help me out with the proper syntax for something like:when CLIENT_ACCEPTED { Check if requested port is outside 1000 - 2000 if { [TCP::client_port] < 1000 or [TCP::client_port] > 2000 or [TCP::client_port] not 3389 or [TCP::client_port] not 1500 or [TCP::client_port] not 161 }{ Drop request drop }
I'm trying to allow a range (12000-13000) and several individual ports, but drop/reject the rest.
Thanks,
Josh- hoolioHi Josh,
My original post should have used TCP::local_port to check the destination port on the client's packet--not the source port. I think this should do what you're looking for:when CLIENT_ACCEPTED { Check if requested port is outside 1000 - 2000 if { not (([TCP::local_port] > 1000 and [TCP::local_port] < 2000) or [TCP::local_port] == 3389 or [TCP::local_port] == 1500 or [TCP::local_port] == 161) }{ Drop request drop } }
Aaron 
Dilip_bhapkar06Hi ,I am just begin to learn F5 device.I want to open 7 ports ( Mail Related) in F5 for same virtual Server.
I have created 7 virtual server for same IP and 7 different pools and add the Actual Mail server in that Pool.
what is the easiest way for this case.
How will open multiple ports in a single virtual server- JRahm
Admin
using port zero will listen for all ports, then you could use a switch statement to handle the ports you want with a default condition of discard. 
kamals_48971but if I have to allow different range of address like 19000-20000 and 30000 - 30999 then I tried this but now sure if it is correct b rule tcp_port '{ when CLIENT_ACCEPTED { Check if requested port is outside 18000 - 20999 ,30000 - 30999 if { [TCP::client_port] < 19000 or [TCP::client_port] < 30000 or [TCP::client_port] > 20999 or [TCP::client_port] > 30999
}{
Drop request drop }} }'
- nitass
is it source port (client port) or destination port (virtual server port)? if it is destination, it is TCP::local_port.
when CLIENT_ACCEPTED { Check if requested port is outside 18000 - 20999, 30000 - 30999 if { not ( [TCP::local_port] >= 18000 and [TCP::local_port] <= 20999 ) and not ( [TCP::local_port] >= 30000 and [TCP::local_port] <= 30999 ) } { Drop request drop } }TCP::local_port
https://devcentral.f5.com/wiki/iRules.tcp__local_port.ashx
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
