Redirecting to External IP Address

Hi Brett,

Sure, you can issue a redirect to a hostname or IP address. Here are some examples:

 
 when HTTP_REQUEST { 
  
     Redirect all requests to a new location using a 302 status redirect 
    HTTP::redirect "https://10.0.0.10/new_location.html" 
 } 
 

 
 when HTTP_REQUEST { 
  
     Redirect all requests to a new location using a 301 status 
    HTTP::respond 301 Location "https://10.0.0.10/new_location.html" 
 } 
 

If you want to check the destination IP address, you can use IP::local_addr. But for a virtual server defined on a single IP address, this would always be the VIP address. To check the client IP address, you can use IP::client_addr. To evaluate one IP address or subnet against another IP address or subnet, you can use the IP::addr command.

Here are wiki links for the various commands:

http://devcentral.f5.com/wiki/default.aspx/iRules/http__redirect

http://devcentral.f5.com/wiki/default.aspx/iRules/http__respond

http://devcentral.f5.com/wiki/default.aspx/iRules/ip__addr

http://devcentral.f5.com/wiki/default.aspx/iRules/ip__local_addr

http://devcentral.f5.com/wiki/default.aspx/iRules/ip__client_addr

Aaron

I think that Kamiza could be asking about rerouting traffic in general, not just issuing an HTTP redirect. For example, having traffic originally bound for 1.2.3.4 be sent to 5.6.7.8 instead, in a way that's transparent to the sender. And, yes, an LTM could do this via iRules.

Sparks,Hoolio,

 

 

Thanks for responding.

 

 

Sparks is correct in his description of what my problem is. I have taken a look on the Irule forums and found a thread with code in that Hoolio created. Am I on the right track?

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=812988&view=topic

 

 

Regards

 

 

Brett

Hi Brett,

 

 

That might be the right direction. Can you clarify what type of traffic you're trying to send and who the clients and destination addresses are? Are you wanting to do this with a wildcard (0.0.0.0) VIP?

 

 

Thanks,

 

Aaron

Hi Aaron,

 

 

I believe the traffic is mainly going to be ftp/sftp

 

 

Thanks

 

 

Brett

Can you provide more info though on what you're trying to accomplish? Are you wanting to simply accept connections to a single IP address on port 22 and load balance those connections to a pool of SFTP servers? Do you want to do something similar for the FTP servers? Why do you think you need an iRule versus a standard VIP and pool configuration?

 

 

Thanks,

 

Aaron

Hi Aaron,

 

 

In an nutshell we have a solution (two ftp servers) that is been moved off site to another datacentre. The problem is we have roughly 600 remote devices all over the world that references these two FTP servers by IP address not domain name. Obviosuly this is going to be very time consuming if not impossible with deadlines I have been given to change the remote device configuration. The IP addresses currently associated with these servers are not managed by ourselves and the people who do manage them will not let us take a /23 of there hosting range just for two addresses. We have two F5's are part of another shared managed solution in currently in place at this site. So I was wondering if the F5 would be able to redirect traffic to another data centre based on destination IP address?

 

 

For Example

 

Ftp1 = 1.1.1.1:port 22( In existing dc) get mapped and traffic redirect to 2.2.2.1:port 22 in New DC

 

Ftp2 = 1.1.1.2:port 22(In existing dc) get mapped and traffic redirect to 2.2.2.2:port 22 in New DC

 

 

If this is even possible now I have explained it a bit more and either standard vip/pool or Irule configuration can acheive this how do you think the return traffic would pass back through the F5?

 

 

I hope this paints a clearer picture of my problem.

 

 

Regards

 

 

Brett

Hi Brett,

 

 

Thanks, that does make things clearer.

 

 

Not to be pedantic, but typically FTP runs on TCP ports 20/21 (Click here) and SSH/SCP/SFTP runs on TCP port 22. You'll want to separate these two protocols using separate VIPs as you'll want to use an FTP profile for the FTP traffic.

 

 

What you've described is standard "load balancing" with the minor exception that the servers are not on network local to LTM. As long as there is a route to the remote hosts it should work fine. You'll probably need to use SNAT on the VIPs. Make sure to install the latest subversion for the version you're running as there have been some issues using SNAT on an FTP VIP. Here are a few related solutions I found searching for FTP and SNAT on AskF5:

 

 

SOL8455: FTP traffic does not pass through a SNAT (affects 9.4.4 only)

 

https://support.f5.com/kb/en-us/solutions/public/8000/400/sol8455.html

 

 

SOL9707: Active mode FTP data connections may fail when used through a SNAT

 

versions: 9.4.7, 9.4.6, 9.4.5, 9.4.4, 9.4.3, 9.4.2, 9.4.1, 9.4, 9.3.1, 9.3

 

https://support.f5.com/kb/en-us/solutions/public/9000/700/sol9707.html

 

 

For the SFTP traffic, you can configure a performance layer4 VIP with a fastL4 profile and SNAT (automap to use a floating self IP on the egress or a SNAT pool if you want to manually specify the source IP(s)). Configure the servers in a pool on port 22. That should be it.

 

 

For the FTP traffic, configure a standard IP VIP on port 21 with an FTP profile nd SNAT (automap to use a floating self IP on the egress or a SNAT pool if you want to manually specify the source IP(s)). Configure the servers in a pool on port 21.

 

 

The firewall(s) between the clients and LTM and LTM and the servers will need to support active and passive FTP if you want LTM to.

 

 

Aaron

Hi Aaron,

 

 

Many thanks for all your help.

 

 

Port 22 SFTP was just an example. I think we use both FTP/SFTP in this solution, so the information you provided above has been a great help.

 

 

Once again thanks for pointing me in the right direction.

 

 

Regards

 

 

Brett