Forum Discussion

John_T__Morgan_'s avatar
John_T__Morgan_
Icon for Nimbostratus rankNimbostratus
Oct 27, 2017

IRule to disallow access to a resource based on IP address

Hi All,

 

We have hundreds of laptops distributed with the f5 Edge client installed. Unfortunately, we can not find a way to lock down the options to "Disconnect, Auto-Connect, and Connect". No matter how much we tell our folks to leave the setting at "Auto-Connect" they change it to connect. This results in a good percentage of our users connecting to our VPN even when physically connected to our network. This causes the end users problems but my biggest concern is they are chewing up addresses from our pool.

 

Since we can't seem to get the message through to leave the settings alone, I would like to just block all access to the VPN based on subnet.

 

Basically, I am wondering if by using an iRule I can check their subnet before assigning them to the VPN. IF they are on our subnet (We have a class B - so it's pretty easy to block access), I'd like to direct them to a web page telling them to change the setting on the EDGE client to auto-connect and reboot.

 

I am really not familiar with iRule syntax, but I found a rule which looks like what I need with a bit of tweaking:

 

when CLIENT_ACCEPTED { if { not ([matchclass [IP::client_addr] equals allowed_subnets_class]) } { drop } }

 

This seems to check an address against a list of allowed addresses. I'd like to check against a disallowed subnet. If they are not on the disallowed subnet, then they get the VPN resource. If they are on the subnet they get redirected to a web page and their session is terminated.

 

Would this be possible?

 

Thanks,

 

-John

 

APM
application delivery
LTM

5 Replies

Sort By
  • crodriguez's avatar
    crodriguez
    Ret. Employee
    Oct 27, 2017

    Is it just one subnet that you want to block access from? If so, a datagroup is unnecessary. Usually data groups are used when you have more than about a dozen comparisons to make, otherwise an IF or SWITCH statement is usually sufficient. If using datagroups, you are better off using the CLASS command rather than MATCHCLASS which is deprecated (although still allowed to support older iRules).

    If just checking against one subnet, you could the IP::addr command to test the client's IP address against the "bad" subnet:

    if { [IP::addr [IP::client_addr] equals "10.10.0.0/16"] } {
    
}
  • John_T__Morgan_'s avatar
    John_T__Morgan_
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2017

    Thanks very much for the response. I wish I was a little more conversant in iRule syntax. Basically I have to search for something similar and torture it to be what I want.

     

    I am going to take the liberty to ask a follow up question. Can I use an irule as a decision point somewhere in the access policy?

     

    For example, we have an access policy which checks for various things (domain of the machine, presence of a certificate, AD group membership, etc.). Once all the conditions have been satisfied, the VPN resource is granted. I would like to add this irule right before the VPN is granted and deny if they are on the disallowed network. The reason I need to add it at that point is that during the previous checks we have other outcomes if they fail. For example if they are not in the correct AD group, they will just get diverted to a Citrix session - and for that we don't care if they are on our network or not since getting a Citrix session does not use an IP address.

     

    So I don't want block access entirely, just when they have gotten to the point where they get the VPN.

     

  • John_T__Morgan_'s avatar
    John_T__Morgan_
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2017

    You know what? I am absolutely overcomplicating this. I don't need an irule at all, just a simple subnet match rule in the policy.

     

    I think I just tried to build a spaceship to go to the corner store.

     

    -John

     

  • crodriguez's avatar
    crodriguez
    Ret. Employee
    Oct 27, 2017

    Yep! Lots of other ways to do this than an iRule. But sometimes the spaceship is the most fun! ;-)

     

  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for MVP rankMVP
    Oct 28, 2017

    SPaCeSHiP! ~ (Lego movie reference)

     

    I agree though, the spaceship can be the most fun. Sometimes, in the end after writing an opus you end up with three lines. It's the journey...