Forum Discussion
nitass
Dec 12, 2011Employee
i do not have transparent proxy in lab, so i have to enable translate address and service on virtual server. also, snat is required in my lab.
from my test, you will see when proxy_pool was down, bigip sent traffic to web server directly. the destination address (98.137.149.56) and port number (80) were not translated since forward command disabled them.
C:\>nslookup www.yahoo.com
Server: xxx.xxx.xxx
Address: 192.168.204.178
Non-authoritative answer:
Name: any-fp3-real.wa1.b.yahoo.com
Addresses: 72.30.2.43
98.137.149.56
Aliases: www.yahoo.com
fp3.wg1.b.yahoo.com
sg-fp3-lfb.wg1.b.yahoo.com
any-fp3-lfb.wa1.b.yahoo.com
[root@ve1023:Active] config b virtual bar list
virtual bar {
translate address enable
translate service enable
snat automap
pool proxy_pool
destination any:any
mask 0.0.0.0
ip protocol 6
rules myrule
profiles {
http {}
tcp {}
}
}
[root@ve1023:Active] config b pool proxy_pool list
pool proxy_pool {
members 192.168.12.105:3128 {}
}
[root@ve1023:Active] config b pool gateway_pool list
pool gateway_pool {
members 172.28.19.254:any {}
}
[root@ve1023:Active] config b rule myrule list
rule myrule {
when HTTP_REQUEST {
if {[string tolower [HTTP::host]] equals "www.google.com" or \
[active_members [LB::server pool]] < 1} {
forward
pool gateway_pool
}
}
}
curl -I http://www.yahoo.com/
[root@ve1023:Active] config tcpdump -nni 0.0 port 80 or port 3128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
02:58:14.159318 IP 200.200.200.101.37253 > 72.30.2.43.80: S 2842128339:2842128339(0) win 5840
02:58:14.159349 IP 72.30.2.43.80 > 200.200.200.101.37253: S 1156550803:1156550803(0) ack 2842128340 win 4380
02:58:14.160283 IP 200.200.200.101.37253 > 72.30.2.43.80: . ack 1 win 46
02:58:14.160301 IP 200.200.200.101.37253 > 72.30.2.43.80: P 1:157(156) ack 1 win 46
02:58:14.160443 IP 172.28.19.80.37253 > 192.168.12.105.3128: S 668650010:668650010(0) win 4380
02:58:14.260381 IP 72.30.2.43.80 > 200.200.200.101.37253: . ack 157 win 4536
02:58:14.325384 IP 192.168.12.105.3128 > 172.28.19.80.37253: S 1758187351:1758187351(0) ack 668650011 win 5792
02:58:14.325401 IP 172.28.19.80.37253 > 192.168.12.105.3128: . ack 1 win 4380
02:58:14.325412 IP 172.28.19.80.37253 > 192.168.12.105.3128: P 1:157(156) ack 1 win 4380
02:58:14.491573 IP 192.168.12.105.3128 > 172.28.19.80.37253: . ack 157 win 5792
02:58:14.491592 IP 192.168.12.105.3128 > 172.28.19.80.37253: P 1:365(364) ack 157 win 5792
02:58:14.491617 IP 72.30.2.43.80 > 200.200.200.101.37253: P 1:365(364) ack 157 win 4536
02:58:14.491621 IP 192.168.12.105.3128 > 172.28.19.80.37253: F 365:365(0) ack 157 win 5792
02:58:14.491628 IP 172.28.19.80.37253 > 192.168.12.105.3128: . ack 366 win 4744
02:58:14.491631 IP 72.30.2.43.80 > 200.200.200.101.37253: F 365:365(0) ack 157 win 4536
02:58:14.492247 IP 200.200.200.101.37253 > 72.30.2.43.80: . ack 365 win 54
02:58:14.492255 IP 200.200.200.101.37253 > 72.30.2.43.80: F 157:157(0) ack 366 win 54
02:58:14.492262 IP 72.30.2.43.80 > 200.200.200.101.37253: . ack 158 win 4536
02:58:14.492266 IP 172.28.19.80.37253 > 192.168.12.105.3128: F 157:157(0) ack 366 win 4744
02:58:14.657271 IP 192.168.12.105.3128 > 172.28.19.80.37253: . ack 158 win 5792
[root@ve1023:Active] config b pool proxy_pool monitor all fake
[root@ve1023:Active] config b pool proxy_pool|grep -i pool\ member
+-> POOL MEMBER proxy_pool/192.168.12.105:3128 inactive,down
curl -I http://www.yahoo.com/
[root@ve1023:Active] config tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
02:59:18.619344 IP 200.200.200.101.39373 > 98.137.149.56.80: S 1710494010:1710494010(0) win 5840
02:59:18.619379 IP 98.137.149.56.80 > 200.200.200.101.39373: S 1489332666:1489332666(0) ack 1710494011 win 4380
02:59:18.620321 IP 200.200.200.101.39373 > 98.137.149.56.80: . ack 1 win 46
02:59:18.620349 IP 200.200.200.101.39373 > 98.137.149.56.80: P 1:157(156) ack 1 win 46
02:59:18.620418 IP 172.28.19.80.39373 > 98.137.149.56.80: S 3312724555:3312724555(0) win 4380
02:59:18.720813 IP 98.137.149.56.80 > 200.200.200.101.39373: . ack 157 win 4536
02:59:18.800356 IP 98.137.149.56.80 > 172.28.19.80.39373: S 3513074640:3513074640(0) ack 3312724556 win 5792
02:59:18.800377 IP 172.28.19.80.39373 > 98.137.149.56.80: . ack 1 win 4380
02:59:18.800391 IP 172.28.19.80.39373 > 98.137.149.56.80: P 1:157(156) ack 1 win 4380
02:59:18.981489 IP 98.137.149.56.80 > 172.28.19.80.39373: . ack 157 win 27
02:59:19.011277 IP 98.137.149.56.80 > 172.28.19.80.39373: P 1:835(834) ack 157 win 27
02:59:19.011315 IP 98.137.149.56.80 > 200.200.200.101.39373: P 1:835(834) ack 157 win 4536
02:59:19.012420 IP 200.200.200.101.39373 > 98.137.149.56.80: . ack 835 win 59
02:59:19.012441 IP 200.200.200.101.39373 > 98.137.149.56.80: F 157:157(0) ack 835 win 59
02:59:19.012451 IP 98.137.149.56.80 > 200.200.200.101.39373: . ack 158 win 4536
02:59:19.012456 IP 172.28.19.80.39373 > 98.137.149.56.80: F 157:157(0) ack 835 win 5214
02:59:19.195404 IP 98.137.149.56.80 > 172.28.19.80.39373: F 835:835(0) ack 158 win 27
02:59:19.195434 IP 172.28.19.80.39373 > 98.137.149.56.80: . ack 836 win 5214
02:59:19.195441 IP 98.137.149.56.80 > 200.200.200.101.39373: F 835:835(0) ack 158 win 4536
02:59:19.196481 IP 200.200.200.101.39373 > 98.137.149.56.80: . ack 836 win 59