IPv6 address prefix difinition

Question

Please teach the definition method when the IPv6 address is used.   
    
 I did not do the operation for which I had hoped though I tried various rule.  
    
 I want to make the rule that limits only the access from 3ffe:1234:1234:5678::/64 prefix.   
 However, it did not operate in the following rule.

[Rule 1]  
 -------------------------------------------------------  
 when CLIENT_ACCEPTED {   
   if { [IP::remote_addr] eq 3ffe:1234:1234:5678::/64 ] }  
   {   
     pool lb_pool   
   } else {   
     discard  
   }   
 }   
 -------------------------------------------------------  
    
 [Rule 2]  
 -------------------------------------------------------  
 when CLIENT_ACCEPTED {   
   if { [IP::remote_addr] eq 3ffe:1234:1234:5678::0 netmask ffff:ffff:ffff:ffff::0 ] }  
   {   
     pool lb_pool   
   } else {   
     discard  
   }   
 }   
 -------------------------------------------------------  
  
 Please teach the method of defining rule that can recognize the Prefix

unruley_95363 · Answer

As drteeth pointed out in an earlier post today: "Listen to the forum"! 
  
 You are comparing the IP addresses as strings.  Thus the application of a netmask is not observed at all.  To accomplish this you need to compare the IP addresses as IP addresses by using the IP::addr command. 
  
 Also, there is currently an issue with comparing network masks that has been corrected in 9.0.5, which involves which address you apply the mask to.  In pre-9.0.5 versions, you need to apply the netmask to host address. 
  
 Here's an Example: 
  
 when CLIENT_ACCEPTED { 
    if { [IP::addr "[IP::remote_addr]/64" eq 3ffe:1234:1234:5678::] } { 
       pool lb_pool 
    } else { 
       discard 
    } 
 } 
  
 Also, you can use either / notation or " mask " notation.  However, with the long netmasks of IPv6, I would suggest sticking with the / notation. 
  
 Second example: 
  
 when CLIENT_ACCEPTED { 
    if { [IP::addr "[IP::remote_addr] mask ffff:ffff:ffff:ffff::0" eq "3ffe:1234:1234:5678::"] } { 
       pool lb_pool 
    } else { 
       discard 
    } 
 }

After 9.0.5, you can do the following: 
  
 when CLIENT_ACCEPTED { 
    if { [IP::addr [IP::remote_addr] eq 3ffe:1234:1234:5678::/64] } { 
       pool lb_pool 
    } else { 
       discard 
    } 
 }

masaru_takahash · Answer

I tested by both V9.0.2 and V9.0.4.  
&nbsp;  
&nbsp; When all samples were changed from "eq" to "equals", it operated correctly.  
&nbsp; However, only one sample operated in V9.0.4.  
&nbsp;  
&nbsp; V9.0.2(OK), V9.0.4(OK) 
&nbsp; --------------------------------------------------------------------- 
&nbsp; when CLIENT_ACCEPTED {  
&nbsp;    if { [IP::addr "[IP::remote_addr]/64" equals 3ffe:1234:1234:5678::] } {  
&nbsp;       pool lb_Pool  
&nbsp;    } else {  
&nbsp;       discard  
&nbsp;    }  
&nbsp; } 
&nbsp; --------------------------------------------------------------------- 
&nbsp;  
&nbsp; V9.0.2(OK), V9.0.4(NG) 
&nbsp; --------------------------------------------------------------------- 
&nbsp; when CLIENT_ACCEPTED {  
&nbsp;    if { [IP::addr "[IP::remote_addr] mask ffff:ffff:ffff:ffff::0" equals "3ffe:1234:1234:5678::"] } {  
&nbsp;       pool lb_Pool  
&nbsp;    } else {  
&nbsp;       discard  
&nbsp;    }  
&nbsp; } 
&nbsp; --------------------------------------------------------------------- 
&nbsp;  
&nbsp; V9.0.2(OK), V9.0.4(NG) 
&nbsp; --------------------------------------------------------------------- 
&nbsp; when CLIENT_ACCEPTED {  
&nbsp;    if { [IP::addr [IP::remote_addr] equals 3ffe:1234:1234:5678::/64] } {  
&nbsp;       pool lb_Pool  
&nbsp;    } else {  
&nbsp;       discard  
&nbsp;    }  
&nbsp; } 
&nbsp; ---------------------------------------------------------------------

unruley_95363 · Answer

Can you please open a support case with the information about when it does not work as expected?  That is the best route to getting things corrected in a future release.  Thanks. &nbsp;

Forum Discussion

IPv6 address prefix difinition

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Access Policy Authentication Using Domain Prefix

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

Create an IP prefix set list for VoltMesh with Terraform

SNAT IP address logging