Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

VIP targeting VIP, preserve src and dst IP

Hi,

I tried everything and nothing worked :-(. I am running out of ideas, so either I am doing something wrong or what I need is not possible.

Idea is to have setup like that:

client -> explicit forward proxy type VS -> ForwardIP type VS -> target server

I tried plenty of combinations to pass traffic from forward proxy VS to ForwardIP VS but all failed - virtual, nexthop with snat none, translate addr disable etc.

I need to pass traffic after forward proxy VS resolves destination server from proxy request to ForwardIP server. This is my idea to be able to use AFM rules to enforce limitation os src IP:port, dst IP:port (L4 rules).

I know that it's possible to use APM ACLs but this is not very elegant and admin friendly solution :-(

Everything is failing when I try to pass traffic to ForwardIP VS.

When virtual command is used dst IP is changed to ForwardIP VS or (when wildcard VS is used) to nothing. But at least traffic is reaching ForwardIP VS.

When nexthop is used traffic is never reaching ForwardIP VS.

When nexthop with tunnel specified (tcp forward type on which ForwardIP VS is enabled) immediately I have port exhaustion message in LTM log.

Is there any way to achieve what I need or it's plain impossible?

Piotr

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Piotr,

just stumbled over this question and got an idea how this can be solved...

You could use the [sharedvar] command to store IP parameters on the front-ending VS and pass them to a back-ending VS in a VIP-targeting-VIP setup. Those variables could then be used for snat and node selection on thea back-ending VS.

https://devcentral.f5.com/wiki/iRules.sharedvar.ashx

Cheers, Kai

1
Comments on this Answer
Comment made 1 month ago by Piotr Lewandowski 1162

Hi Kai,

Good to hear from You! Thanks for tip, I think it's nice option. Not 100% sure but I can recall that some fixes to VIP targeting VIP were planned so preserving IPs would be possible without iRule.

Maybe I am wrong, it was some time ago and I did not get back to this topic as related project was abandoned.

Piotr

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Piotr, i think we have a current limitation for this : BUG 453354: “http explicit proxy doesn’t work when target is VIP on same box". there may be a workaround wit an irule. I test it and will update you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Piotr, i think we have a current limitation for this : BUG 453354: “http explicit proxy doesn’t work when target is VIP on same box". there may be a workaround wit an irule. I test it and will update you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Piotr, i think we have a current limitation for this : BUG 453354: “http explicit proxy doesn’t work when target is VIP on same box". there may be a workaround wit an irule. I test it and will update you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Piotr, i think we have a current limitation for this : BUG 453354: “http explicit proxy doesn’t work when target is VIP on same box". there may be a workaround wit an irule. I test it and will update you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Piotr, i think we have a current limitation for this : BUG 453354: “http explicit proxy doesn’t work when target is VIP on same box". there may be a workaround wit an irule. I test it and will update you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Thanks for info. Not very good news.

Let's assume that I will set VS without proxy profile and then extract URL from request using HTTP:uri then disable HTTP profile using HTTP::disable (or use VS without HTTP profile at all and use TCP::collect, TCP::payload to retrieve target URL).

Then I can use RESOLV::lookup to retrieve IP of the server in URL (something what is in fact implemented in HTTP profile in Explicit mode - as far as I understand).

Is there any way to somehow create connection to target host via additional ForwardIP type VS?

Something like:

  • snat none - to preserve client IP from proxy request (this frontend VS is used for switching connections between several other VSs on the same BIGIP, some of them need SNAT - so SNAT is enabled in VS config)
  • node $target_srv_ip $target_srv_port - not node existing on BIGIP but actual target server from proxy request
  • virtual $forwardip_vs - my ForwardIP VS defined on BIGIP

Do you thing it should work in a way that ForwardIP type VS will receive TCP connection with:

  • src IP - IP of the client sending proxy request
  • dst IP:port - IP and port extracted from URL inside proxy request send by client

Piotr

0