IRule to disallow access to a resource based on IP address
Hi All,
We have hundreds of laptops distributed with the f5 Edge client installed. Unfortunately, we can not find a way to lock down the options to "Disconnect, Auto-Connect, and Connect". No matter how much we tell our folks to leave the setting at "Auto-Connect" they change it to connect. This results in a good percentage of our users connecting to our VPN even when physically connected to our network. This causes the end users problems but my biggest concern is they are chewing up addresses from our pool.
Since we can't seem to get the message through to leave the settings alone, I would like to just block all access to the VPN based on subnet.
Basically, I am wondering if by using an iRule I can check their subnet before assigning them to the VPN. IF they are on our subnet (We have a class B - so it's pretty easy to block access), I'd like to direct them to a web page telling them to change the setting on the EDGE client to auto-connect and reboot.
I am really not familiar with iRule syntax, but I found a rule which looks like what I need with a bit of tweaking:
when CLIENT_ACCEPTED { if { not ([matchclass [IP::client_addr] equals allowed_subnets_class]) } { drop } }
This seems to check an address against a list of allowed addresses. I'd like to check against a disallowed subnet. If they are not on the disallowed subnet, then they get the VPN resource. If they are on the subnet they get redirected to a web page and their session is terminated.
Would this be possible?
Thanks,
-John