RPC iRule

What type of Virtual Server (or VIP) is this iRule applied to? Without this iRule applied, are you able to access the pool?

As Humphrey is hinting at, using the forward command (Click here) will bypass load balancing and cause LTM to send the packets to the same IP and port that the client requested. So you wouldn't want to use this on a standard IP VIP if you want the request to be load balanced to the pool. If you are wanting to use a pool, you can change the iRule slightly:

 
 when CLIENT_ACCEPTED { 
    if { [TCP::local_port] == 135 or ( [TCP::local_port] >= 1024 and [TCP::local_port] < 65534 ) } { 
  
        Do nothing.  The default pool on the VIP will be used. 
  
    } else { 
        Drop the packets. 
       discard 
    } 
 } 
 

Aaron

Hoolio / Humphrey I can't thank you guys enough. That makes perfect sense. Thanks a ton.

Guys I must still be missing something and my bad for not providing more details. I have a VIP setup for TCP 135 and I want the portmapper traffic to be allowed through less I create 65k VIP's. I applied what you mentioned Hoolio, but I still can't get the portmapper ports (<1023) to pass through the LTM. Here is more detailed information:

 

[root@xxxxxxx:Active] / b virtual Exch_135_vs

 

VIRTUAL 10.10.1.100 UNIT 1

 

| ARP: enabled

 

| (cur, max, limit, tot) = (0, 81, 0, 2345)

 

| (pkts,bits) in = (40493, 62.77M), out = (41673, 259.2M)

 

+-> SERVER Exch_135_vs SERVICE 135

 

| PVA acceleration none

 

| (cur, max, limit, tot) = (0, 42, 0, 859)

 

| (pkts,bits) in = (3675, 3.378M), out = (3245, 3.682M)

 

| requests (total) = 649

 

+-> RULE Exch_rpc_test

 

| +-> CLIENT_ACCEPTED 1 total 0 fail 0 abort

 

+-> POOL Exch_135_pl LB METHOD round robin MIN/CUR ACTIVE MEMBERS: 0/2

 

| conns (cur, max, limit, tot) = (0, 7, 0, 110)

 

| (pkts,bits) in = (2021, 2.112M), out = (1802, 2.995M)

 

+-> POOL MEMBER Exch_135_pl/10.10.10.8:135 ACTIVE,UP SESSIONS ENABLED

 

| | priority 1 ratio 1 dynamic ratio 1

 

| | conns (cur, max, limit, tot) = (0, 4, 0, 30)

 

| | (pkts,bits) in = (1241, 1.433M), out = (1160, 2.186M)

 

| | requests (total) = 30

 

+-> POOL MEMBER Exch_135_pl/10.10.10.45:135 ACTIVE,UP SESSIONS ENABLED

 

| priority 1 ratio 1 dynamic ratio 1

 

| conns (cur, max, limit, tot) = (0, 3, 0, 80)

 

| (pkts,bits) in = (780, 678680), out = (642, 809248)

 

| requests (total) = 80

 

[root@xxxxxxx:Active] /

 

[root@xxxxxxx:Active] / b virtual Exch_135_vs list

 

virtual Exch_135_vs {

 

destination 10.10.1.100:135

 

snatpool Exch_135_sn_pl

 

ip protocol tcp

 

persist source_addr

 

pool Exch_135_pl

 

rule Exch_rpc_test

 

}

 

[root@xxxxxxx:Active] /

 

[root@xxxxxxx:Active] /

 

[root@xxxxxxx:Active] / b pool Exch_135_pl

 

POOL Exch_135_pl LB METHOD round robin MIN/CUR ACTIVE MEMBERS: 0/2

 

| conns (cur, max, limit, tot) = (0, 7, 0, 110)

 

| (pkts,bits) in = (2021, 2.112M), out = (1802, 2.995M)

 

+-> POOL MEMBER Exch_135_pl/10.10.10.8:135 ACTIVE,UP SESSIONS ENABLED

 

| | priority 1 ratio 1 dynamic ratio 1

 

| | conns (cur, max, limit, tot) = (0, 4, 0, 30)

 

| | (pkts,bits) in = (1241, 1.433M), out = (1160, 2.186M)

 

| | requests (total) = 30

 

+-> POOL MEMBER Exch_135_pl/10.10.10.45:135 ACTIVE,UP SESSIONS ENABLED

 

| priority 1 ratio 1 dynamic ratio 1

 

| conns (cur, max, limit, tot) = (0, 3, 0, 80)

 

| (pkts,bits) in = (780, 678680), out = (642, 809248)

 

| requests (total) = 80

 

[root@xxxxxxx:Active] / b pool Exch_135_pl list

 

pool Exch_135_pl {

 

monitor all tcp

 

member 10.10.10.8:135

 

member 10.10.10.45:135

 

}

 

[root@xxxxxxx:Active] /

 

[root@xxxxxxx:Active] / b snatpool Exch_135_sn_pl list

 

snatpool Exch_135_sn_pl {

 

member 10.1.1.55

 

}

 

[root@xxxxxxx:Active] /

 

 

Is this LTM aware of what the portmapped port is and then only allows the mapped port back though (in which case my testing if the problem - not the iRule)? Any ideas?

Do you want all traffic sent to the pool members on port 135 or the port that the client made the request to? If the latter, you'll need to change the pool members to listen on port 0 (any).

 

 

Also, if you're using a snatpool of 10.1.1.55 and you have a subnet more specific than 255.0.0.0, the pool members would need to have a route back to the BIG-IP for the snat IP. It might be better to use a SNAT address in the same subnet as the pool members (or use SNAT automap).

 

 

Aaron