Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Redirect based on source IP to an external IP

Hi All,

Question as to the best way to do this...either using a LTM or GTM. We are migrating a service from internally to a SAS based solution and we want to redirect servers in a few internal subnets if they go to the LTM VIP to an external SAS IP/location not hosted on the LTM.

We have a total of 4 VIPS, each listening to different ports.

Internal VIP: 1.1.1.1 port 22 Internal VIP: 1.1.1.1 port 21 Internal VIP: 1.1.1.1 port 443 Internal VIP: 1.1.1.1 port 8443

Objectives:

if you come in to this VIP with source address of 172.16.10.0/24 and 172.16.11.0/24, you will get redirected to the external IP with matching ports...otherwise if you are coming in from the 10.0.0.0/8 network or anything not matching the data group containing the above two subnets, you can connect to the local LTM VIP 1.1.1.1[port 21/22/443/8443] on as normal. We only want to send connection request to the external SAS if you come from the two 172.16.10 and .11 subnets.

Internal IP: 2.2.2.2 port 22 Internal IP: 2.2.2.2 port 21 Internal IP: 2.2.2.2 port 443 Internal IP: 2.2.2.2 port 8443

Also in this irule to redirect to an external IP for non-https redirect, do you need to "proxy" this traffic through the F5 (i.e. need route incoming connections to get to 2.2.2.2 for port 21/22). Note that once connections coming from the 172.16.10.x and 172.16.11.x hits the LTM, the should connect directly to 2.2.2.2 and therefore not need the F5 further...can you do this or

Would a GTM be a better solution for all of this. I rather not use the GTM and do all of this on the LTM if possible....

when HTTP_REQUEST {
    if { [class match [IP::client_addr] equals REDIRECT-IF-SUBNET-IS-IN-THIS-DG] } {
     HTTP::redirect "https://2.2.2.2" 
     HTTP::redirect "https://2.2.2.2:8443" 
     ...what is the format to also redirect to 2.2.2.2:21
     ...and redirect to 2.2.2.2:22
     }
     else 
     pool MY-INTERNAL-VIP-FOR-ALL-OTHERS
      }
    }
}

Thanks all!

0
Rate this Question
Comments on this Question
Comment made 5 months ago by jurgenvdmark@gmail.com 105

First of all redirecting only works for http(s) traffic. You can't redirect traffic for non http(s) traffic, because it isn't part of the protocol. So there is no way to let the client know that it should connect to a different host for non http(s) traffic.

For http OR https you can simply use a http profile which redirects the traffic:

ltm profile http redirect_to_sas {
    app-service none
    fallback-host http://2.2.2.2
}

In a similar way you can make a http profile for redirect for https and redirect for https port 8443.

For the SSH connection you can use the node statement in an iRule (see: https://devcentral.f5.com/wiki/iRules.node.ashx)

I hope this helps

0
Comment made 5 months ago by Kees van den Bos | kees4IP 679

Jurgen,

You can't redirect for ftp and SSH.

You could create a wildcard 1.1.1.1:* vs with pool member 2.2.2.2:* , port translation disabled and with source: 172.16.10.0/23

And your normal virtual servers for https/8443/21/22 without source matching.

The wildcard virtual server will forward traffic coming from the two subnets to your sas provider.

Cheers,

Kees

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Redirection would work only for HTTP(S)

For the other traffic types, you can either proxy the traffic via your LTM virtual server (by configuring the sas as pool member) or use DNS (GTM) to send them directly to the sas.

0
Comments on this Answer
Comment made 5 months ago by jurgenvdmark@gmail.com 105

I found an other way to this by using a ltm policy.

The beauty is, you don't need iRules and you don't have to make virtuals just apply the policy to your existing virtuals, it should work and its easy to expand.

Look at the GUI to get a better picture what the policy looks like

ltm policy redirect_to_sas {
    controls { forwarding }
    requires { tcp http }
    rules {
        redirect_http {
            actions {
                0 {
                    http-reply
                    redirect
                    location http://2.2.2.2[HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    local
                    values { 80 }
                }
                1 {
                    tcp
                    address
                    matches
                    values { 172.16.10.0/24 172.16.11.0/24 }
                }
            }
            ordinal 2
        }
        redirect_https {
            actions {
                0 {
                    http-reply
                    redirect
                    location https://2.2.2.2[HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    local
                    values { 443 }
                }
                1 {
                    tcp
                    address
                    matches
                    values { 172.16.10.0/24 172.16.11.0/24 }
                }
            }
            ordinal 3
        }
        redirect_https_8443 {
            actions {
                0 {
                    http-reply
                    redirect
                    location https://2.2.2.2:8443[HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    local
                    values { 8443 }
                }
                1 {
                    tcp
                    address
                    matches
                    values { 172.16.10.0/24 172.16.11.0/24 }
                }
            }
            ordinal 4
        }
        redirect_ssh {
            actions {
                0 {
                    forward
                    select
                    node 2.2.2.2
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    local
                    values { 22 }
                }
                1 {
                    tcp
                    address
                    matches
                    values { 172.16.10.0/24 172.16.11.0/24 }
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}
`</pre>

Applied to a virtual it looks as follows:

<pre>`ltm virtual testjurgen {
  destination 1.1.1.1:http
  ip-protocol tcp
  mask 255.255.255.255
  policies {
    redirect_to_sas { }
  }
  profiles {
      http { }
      tcp { }
  }
  source 0.0.0.0/0
  translate-address enabled
  translate-port enabled
}
0