Single VIrtual Server for Multiple Ports/Protocols

Question

We have a WebRTC Service we want to load balance and handle HTTP (and HTTPS), RTMP, as well as UDP traffic. The problem is that we need to support large ranges of ports (443 HTTPS with SSL termination, 80 for HTTP, 40000-49999 for RTMP, 50000-59999 for UDP). From my understanding, we cannot create a Virtual Server for a range of ports unless it is a "port 0" Virtual Server, and obviously we cannot create the thousands of Virtual Servers to do this on a per-port basis. For the web traffic, we need to terminate SSL as well as apply iRule logic. RTMP and UDP traffic can be forwarded on to the corresponding pool members. All traffic on other non-matched ports can be dropped.&nbsp;
If it is not possible to configure multiple Virtual Servers for ranges of ports, is there a way to handle all the possibilities via iRules, or perhaps using different internal Virtual Servers as pool members for the top-level Virtual Server, passing on the traffic to the secondary Virtual Server via iRule based on port rance, each of which can handle the traffic according to the appropriate protocol?&nbsp;
Or...is there some obvious solution to this problem that I am completely overlooking?&nbsp;
Thanks for your time,
-Funkdaddy&nbsp;

ashwin_venkat_1 · Answer

You are correct in that we don't have a way to create a virtual server that only listens for a certain range of ports.  Ideally, you would need multiple virtual servers (one each dedicated for HTTP, HTTPS, RTMP traffic respectively).  By doing so, you can have the respective SSL or HTTP profile configuration for the HTTP/S virtual servers in order for SSL termination and inspection of L7 traffic to be done for HTTP.  
&nbsp;
With the HTTP/HTTPS virtual servers taken care of in the above manner, you can have a third one configured to listen on any port (wildcard) for which you can have an iRule configured to drop traffic if it comes in on ports other than 40000-49999.  Similarly, one can be configured for the UDP virtual server (which would require a UDP profile, unlike the other 3 which would use TCP so you'll need a dedicated virtual server for this anyway) for which you have traffic coming in on ports 50000-59999 with an iRule configured to drop traffic if it comes in on ports other than 50000-59999 range.&nbsp;
In order to create an iRule that allows for specifying a range of ports, this will be of help for you: https://support.f5.com/csp/article/K6018&nbsp;

ashwin_venkat · Answer

You are correct in that we don't have a way to create a virtual server that only listens for a certain range of ports.  Ideally, you would need multiple virtual servers (one each dedicated for HTTP, HTTPS, RTMP traffic respectively).  By doing so, you can have the respective SSL or HTTP profile configuration for the HTTP/S virtual servers in order for SSL termination and inspection of L7 traffic to be done for HTTP.  
&nbsp;
With the HTTP/HTTPS virtual servers taken care of in the above manner, you can have a third one configured to listen on any port (wildcard) for which you can have an iRule configured to drop traffic if it comes in on ports other than 40000-49999.  Similarly, one can be configured for the UDP virtual server (which would require a UDP profile, unlike the other 3 which would use TCP so you'll need a dedicated virtual server for this anyway) for which you have traffic coming in on ports 50000-59999 with an iRule configured to drop traffic if it comes in on ports other than 50000-59999 range.&nbsp;
In order to create an iRule that allows for specifying a range of ports, this will be of help for you: https://support.f5.com/csp/article/K6018&nbsp;

funkdaddy_31014 · Answer

Thanks for the follow-up, that is useful.&nbsp;
My understanding of the port ranges was incorrect, it appears that the traffic on 40000-49999 can be either UDP or TCP (if UDP fails, it will try TCP). I was assuming the UDP traffic would come over another range of ports. I'm not sure if this is possible to serve both protocols over the same VIP, and it doesn't seem you can match Virtual Servers based on the protocol - is there any way you know of to do this, or do we need to devise a failover scenario when UDP fails and maybe sends the client to a different Hostname/IP altogether?&nbsp;
Thanks again,
-Funkdaddy&nbsp;

funkdaddy_31014 · Answer

Thanks for the follow-up, that is useful.&nbsp;
My understanding of the port ranges was incorrect, it appears that the traffic on 40000-49999 can be either UDP or TCP (if UDP fails, it will try TCP). I was assuming the UDP traffic would come over another range of ports. I'm not sure if this is possible to serve both protocols over the same VIP, and it doesn't seem you can match Virtual Servers based on the protocol - is there any way you know of to do this, or do we need to devise a failover scenario when UDP fails and maybe sends the client to a different Hostname/IP altogether?&nbsp;
Thanks again,
-Funkdaddy&nbsp;

funkdaddy_31014 · Answer

PS you mention having a separate UDP and TCP Virtual Servers, but how does it know to send UDP to the UDP VS, and TCP to the TCP one? My understanding of Virtual Server selection process only relates to ports and source/dest IPs, not protocol.

Forum Discussion

Single VIrtual Server for Multiple Ports/Protocols

6 Replies

Recent Discussions

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Three Ways to Specify Multiple Ports on a Virtual Server

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

Multiple Kubernetes Clusters and Path-Based Routing with F5 Distributed Cloud