Hello, I am new to F5 devices and load balancers in general, only having limited exposure to some Foundry devices until now. I am curious about what I've read and seen thus far about creating a virtual server and the ports it will allow connections on. Do I really need to create a new virtual server for each port that I want available or am I overlooking something and creating more work for myself? Thanks, DarkSide

You can configure a VIP on port 0 (any port) and then use an iRule or IP filters to restrict which destination ports can be used. Here is an example iRule which drops requests outside of a range of ports: when CLIENT_ACCEPTED { Check if requested port is outside 1000 - 2000 if { [TCP::client_port] < 1000 or [TCP::client_port] > 2000}{ Drop request drop } } Aaron

In general the LTM is default-deny device, so yes if you do not configure a virtual for each port you need then the traffic will be blocked. That being said, you can create virtuals and pools on port 0 (any port). That will allow all ports to communicate on that virtual. The downside is that you have to create custom monitors for health checks on the pool, because the default monitors are set up to check whatever port the pool members are configured on. Since you can't health check port 0, you have to define a custom monitor that explicitly calls the port you need to check on the servers. So if you only need 3 or 4 ports, I would recommend going ahead and configuring one vip per port, that way you can take advantage of the granularity to be able to tweak settings as you wish (and see separate statistics). If on the other hand you have an application that might open up 100 different ports, then I'd advise using a wildcard port 0 vip and creating a custom health monitor. Denny

Aaron - I am just begining to learn the iRules and have only created simple HTTP/HTTPS redirects thus far. Your example sounds interesting and I'll have to play around some. Denny - I am indeed only concerned with a few ports, mostly HTTP, HTTPS, SSH, FTP for various hosts. The mention of the statistics, was not something I had thought about and with that in mind, can see the benefit of having the different virtuals setup. I really appreciate the replies and am glad to see that there is a good community that I can turn to with what I am sure is just the first of many questions...after I RTFM of course. :-)

If it's only a few ports and the protocol isn't the same, I agree with Denny that it's better to configure individual VIPs. As he suggested, this allows you to configure protocol-specific profiles and tweak the settings according to the protocol. The port range option is better if it's a lot of ports--particularly if it's the same protocol. Aaron

Sorry for the bump, but could someone help me out with the proper syntax for something like: when CLIENT_ACCEPTED { Check if requested port is outside 1000 - 2000 if { [TCP::client_port] < 1000 or [TCP::client_port] > 2000 or [TCP::client_port] not 3389 or [TCP::client_port] not 1500 or [TCP::client_port] not 161 }{ Drop request drop } I'm trying to allow a range (12000-13000) and several individual ports, but drop/reject the rest. Thanks, Josh

Virtual Server multiple service ports

35 Replies

benjamin_gate_3
Nimbostratus
Jul 22, 2018
Guys, I'm hitting my head against a brick wall! I'm trying to allow clients to connect only on ports 443 or 2030 but it's not working - they can connect on any port!?

I've got this iRule:

when CLIENT_ACCEPTED { if { not ([TCP::local_port] == 443) or ([TCP::local_port] == 2030) }{ reject } }

and I've followed the instructions above (same result) as well as K6018 to enable PAT on the vServer (same result); I've even tried 'serverside' and 'clientside' after local_port in the iRule (same result); I've tried drop - same result. I've also tried other iRules from other threads e.g. with words like client_port !=443...

The only time I can't connect on other ports is if I change the service port on the vServer to 443, otherwise, I can always telnet into this vServer on any of the other ports (i.e. the iRule is not working). I've bound the iRule to the vServer in the resources tab (the HTTP > HTTPS redirect worked when I bound it here so I'm thinking this is the right place?). Just to be sure, I made new vServer with no extra settings such as HTTP profile etc. but still, can go straight through. I'm on 13.1.0.8. What am I missing?
- Niels_van_Sluis
  MVP
  Jul 22, 2018
  You could try this:
  
  when CLIENT_ACCEPTED { switch [TCP::local_port] { "443" - "2030" { allow log local0.info "accept" } default { log local0.info "reject" reject } } }
benjamin_gate
Altostratus
Jul 22, 2018
Guys, I'm hitting my head against a brick wall! I'm trying to allow clients to connect only on ports 443 or 2030 but it's not working - they can connect on any port!?

I've got this iRule:

when CLIENT_ACCEPTED { if { not ([TCP::local_port] == 443) or ([TCP::local_port] == 2030) }{ reject } }

and I've followed the instructions above (same result) as well as K6018 to enable PAT on the vServer (same result); I've even tried 'serverside' and 'clientside' after local_port in the iRule (same result); I've tried drop - same result. I've also tried other iRules from other threads e.g. with words like client_port !=443...

The only time I can't connect on other ports is if I change the service port on the vServer to 443, otherwise, I can always telnet into this vServer on any of the other ports (i.e. the iRule is not working). I've bound the iRule to the vServer in the resources tab (the HTTP > HTTPS redirect worked when I bound it here so I'm thinking this is the right place?). Just to be sure, I made new vServer with no extra settings such as HTTP profile etc. but still, can go straight through. I'm on 13.1.0.8. What am I missing?
- Niels_van_Sluis
  MVP
  Jul 22, 2018
  You could try this:
  
  when CLIENT_ACCEPTED { switch [TCP::local_port] { "443" - "2030" { allow log local0.info "accept" } default { log local0.info "reject" reject } } }
benjamin_gate
Altostratus
Jul 22, 2018
Thanks for your help - same result - it's almost as though no iRules are being applied to this vServer...
kamals_48971
Nimbostratus
Jul 22, 2018
What makes you to go to irule , instead of creating simple Virtual listening on port 443 and 2030. if possible can you paste configs
benjamin_gate_3
Nimbostratus
Jul 22, 2018
Because of this: https://devcentral.f5.com/codeshare?sid=560 - I'm adapting that principle to my problem - which is a long story - but, it looks like if I can't formulate/find an iRule that's up to the task, then I'll resort to individual vServers which is also best practice for a number of reasons anyway.
- Joe_Curl_105786
  Nimbostratus
  Jul 23, 2018
  Where are you applying the iRule? It should be on the VIP. Those rules look correct and very similar to what we use here. If it is not being hit, then it does not sound like it has been applied.
- benjamin_gate_3
  Nimbostratus
  Jul 23, 2018
  I've gone to Local Traffic > Virtual Servers > click on virtual server name > Resources tab > Manage > and add the iRule
- Joe_Curl_105786
  Nimbostratus
  Jul 23, 2018
  That is the correct location to apply it.
benjamin_gate
Altostratus
Jul 22, 2018
Because of this: https://devcentral.f5.com/codeshare?sid=560 - I'm adapting that principle to my problem - which is a long story - but, it looks like if I can't formulate/find an iRule that's up to the task, then I'll resort to individual vServers which is also best practice for a number of reasons anyway.
- Joe_Curl_105786
  Nimbostratus
  Jul 23, 2018
  Where are you applying the iRule? It should be on the VIP. Those rules look correct and very similar to what we use here. If it is not being hit, then it does not sound like it has been applied.
- benjamin_gate
  Altostratus
  Jul 23, 2018
  I've gone to Local Traffic > Virtual Servers > click on virtual server name > Resources tab > Manage > and add the iRule
- Joe_Curl_105786
  Nimbostratus
  Jul 23, 2018
  That is the correct location to apply it.
jba3126
Cirrostratus
May 22, 2020
All, I'm attempting to do something similar using an Rule with and a datagroup. We have 4 proxy servers that listen on a myriad of ports. Today I have a bunch of fastl4 VIPs/Pools for each port that the proxies support (Example SSH_VS 10.10.10:22 and SSH_Pool 10.20.10.20:22, 10.20.10.21:22, 10.20.10.23:22, 10.20.10.24:22). I'd like to simplify and make it easy to expand. I'm testing setting up a wildcard VIP that has ports restricted using an iRule/Datagroup. I would also like to have a wildcard pool that contains the 4 proxies. The idea being that a user connects over a port and the VIP will pass the port straight to the proxy. Outside of the items listed in, https://support.f5.com/csp/article/K6018 is there anything other considerations for me to make seeing as these are proxy servers and not your typical web servers?
DG ltm data-group internal /Common/DMZ-LAN-Port-DG { records { FTPS_22 { data 22 } FTP_21 { data 21 } HTTPS_443 { data 443 } HTTP_80 { data 80 } } type string } iRule when CLIENT_ACCEPTED { set lport [TCP::local_port] if {! [class match -value $lport equal "DMZ-LAN-Port-DG" ] } { log local0. "Local Port:$lport not found in Data Group." }\ elseif { [class match -value $lport eq "DMZ-LAN-Port-DG" ] }{ #Traffic is allowed. Port match found in DMZ-LAN-Port-DG return } else { #Traffic is dropped. Port match not found in DMZ-LAN-Port-DG drop } } }