Route Back to the Original Server through VIP

Question

Hello everyone,   
&nbsp;      
&nbsp;   I received a request on establishing a very simple (but looks stupid) connection, but I don't really know how to make it successful. Hope someone could help here.     
&nbsp;      
&nbsp;   Source: One of the Load Balanced servers   
&nbsp;   Source IP: its own real IP   
&nbsp;      
&nbsp;   Destination: This server itself   
&nbsp;   Destination IP: Load Balanced VIP   
&nbsp;      
&nbsp;      
&nbsp;   I tried to use the following iRule but cannot make it   
&nbsp;      
&nbsp;   when CLIENT_ACCEPTED {     
&nbsp;     if { ([IP::addr [IP::client_addr] equals *source_ip*]) and ([IP::addr [IP::local_addr] equals *destination_vip*]) } {    
&nbsp;           node *source_ip*}   
&nbsp;   }   
&nbsp;      
&nbsp;   I know the requester has some limitations on the application so that he must work this way. Any idea how to solve this puzzle?   
&nbsp;

hooleylist · Answer

Hi Jason, 
&nbsp;  
&nbsp; So you're trying to send the request to the source IP for specific requests?  That rule looks okay for the most part.  One question: Is the destination IP of the VIP a network?  If not, why are you checking the local address?   
&nbsp;  
&nbsp; If you're forcing the load balance selection to the client IP address, you'll need to use source address translation to ensure the server replies back to itself through LTM.  You can do this in the iRule using the 'snat automap' command in the same section as the node command. 
&nbsp;  
&nbsp; Aaron

jasonc_40913 · Answer

Hi Aaron, 
&nbsp;  
&nbsp; Thanks for the reply and suggestion. I further fine tune the iRule like below 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED {   
&nbsp;   if { ([IP::addr [IP::client_addr] equals *source_ip*]) and ([matchclass [TCP::remote_port] equals 80]) } {  
&nbsp;         node *source_ip* 
&nbsp;         snat automap} 
&nbsp; } 
&nbsp;  
&nbsp; I tried to foward all port 80 traffic from this server back to itself, but it still could not work. Any idea? I tested it by using C:	elnet *VIP* 80

hooleylist · Answer

You would only need to use matchclass if you wanted to check if the remote port was in a datagroup.  Also, TCP::remote_port in a clientside event like CLIENT_ACCEPTED will return the client's source port.  TCP::local_port will check the client's destination port. 
  
 Can you try this:

when CLIENT_ACCEPTED { 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]" 
  
    if { ([IP::addr [IP::client_addr] equals 1.1.1.1]) and ([TCP::local_port] equals 80]) } { 
       log local0. "[IP::client_addr]:[TCP::client_port]: Matched IP/port check" 
       node [IP::client_addr] 
       snat automap 
    } 
 }

Aaron

jasonc_40913 · Answer

Thanks a lot Aaron! 
&nbsp; The rule works great and the user is extremely happy with that! 
&nbsp;  
&nbsp; I have learned a lot here too~~ 
&nbsp;  
&nbsp; Thanks again!

hooleylist · Answer

Great.  Glad it's working for you. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Route Back to the Original Server through VIP

5 Replies

Recent Discussions

Maximum throughput of f5 ltm

iRule cookie persistence and pool redirect

redirect not working

Access azure app service using f5 LTM

Reliable resources for identifying IP addresses

Related Content

F5 Distributed Cloud Origin Server Subset Rules

Change original source IP to random in ASM logs

Four score and seven years ago... a laptop origin story 📖‌

Request POST Header Rewrite of Origin and Referer

Create an HTTPS Origin based on public FQDN for VoltMesh