Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Policy to forward to a range of ports

Chause1
Cirrus
Cirrus

Good day,

We require a configuration that sends as an example ports 7001 - 7999 to a pool of backends servers.

The idea is to create a wildcard VIP (client ssl) and pool. Allow only those ports to connect to the VIP and load balance to the backend servers with the port it connected on.

How would we be able to go about creating a policy to achive this configuration?

Thanks for helping

2 ACCEPTED SOLUTIONS

Daniel_Wolf
Nacreous
Nacreous

Hi @Chause1,

as an alternative you could use a Port List. Simply create on in Shared Objects ›› Port Lists.

Daniel_Wolf_0-1679938726705.png

And assign it to the virtual server.

Daniel_Wolf_1-1679938797676.png

KR
Daniel

 

View solution in original post

Thanks Daniel,

Will give it a go

 

View solution in original post

11 REPLIES 11

Hi @Chause1 ,

You have to create an LTM policy and apply it to the VS, the rule is:

Sebastiansierra_0-1679928520644.png

Hope it´s work.

Chause1
Cirrus
Cirrus

Hi,

Thanks for the response.

I will test, I would like to deny the rest of the ports within the same policy. 

When I apply the following it seems to stop working 

Hi @Chause1 ,

You have to modify policy 1 and change Apply to traffic: local for both rules:

Sebastiansierra_0-1679992176761.png

Hope it´s work.

Thanks,

Would a client SSL profile have any influance on the traffic?

We receive traffic encypted and need to decrypt to backends. I think this is causing my headace at the moment

Hi @Chause1 ,

Yes, you have to load the certificates to decrypt the traffic, because if you apply an HTTP profile without SSL certificates it gonna fail.

Hi,

I have setup the policy as follows Policy deny only.PNG

When I run a curl I receive:

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

I am still able to telnet t the VIP on any of those ports

 

I am connecting on port 7791.

Am I wrong to be expecting a RST only or that Telnet should not work to any of those ports?

Seems that the rule worked as expexted.

We decided to go the data group route.

Thanks for your time and input 

Daniel_Wolf
Nacreous
Nacreous

Hi @Chause1,

as an alternative you could use a Port List. Simply create on in Shared Objects ›› Port Lists.

Daniel_Wolf_0-1679938726705.png

And assign it to the virtual server.

Daniel_Wolf_1-1679938797676.png

KR
Daniel

 

Thanks Daniel,

Will give it a go

 

Worked like a charm!!!

Thanks!!