All, I'm attempting to do something similar using an Rule with and a datagroup. We have 4 proxy servers that listen on a myriad of ports. Today I have a bunch of fastl4 VIPs/Pools for each port that the proxies support (Example SSH_VS 10.10.10:22 and SSH_Pool 10.20.10.20:22, 10.20.10.21:22, 10.20.10.23:22, 10.20.10.24:22). I'd like to simplify and make it easy to expand. I'm testing setting up a wildcard VIP that has ports restricted using an iRule/Datagroup. I would also like to have a wildcard pool that contains the 4 proxies. The idea being that a user connects over a port and the VIP will pass the port straight to the proxy. Outside of the items listed in, https://support.f5.com/csp/article/K6018 is there anything other considerations for me to make seeing as these are proxy servers and not your typical web servers?
DG
ltm data-group internal /Common/DMZ-LAN-Port-DG {
records {
FTPS_22 {
data 22
}
FTP_21 {
data 21
}
HTTPS_443 {
data 443
}
HTTP_80 {
data 80
}
}
type string
}
iRule
when CLIENT_ACCEPTED {
set lport [TCP::local_port]
if {! [class match -value $lport equal "DMZ-LAN-Port-DG" ] } {
log local0. "Local Port:$lport not found in Data Group."
}\
elseif { [class match -value $lport eq "DMZ-LAN-Port-DG" ] }{
#Traffic is allowed. Port match found in DMZ-LAN-Port-DG
return
} else {
#Traffic is dropped. Port match not found in DMZ-LAN-Port-DG
drop
}
}
}