GTM Intercept bypass?

Rather than an iRule, you can use GTM's "Topology" LB method to hand out different answers based on sourceIP:

 

https://tech.f5.com/home/bigipgtm/manuals/bigipgtm9_2_2/BIG-IP_9_2_2GTM_Guide-10-1.htmlwp999882 (Click here)

 

 

HTH

 

/deb

Most likely it's my ignorance, but I fail to see how a topology record will change the IP address of the virtual server address it is handing out. My pool members for wideip www.myurl.com are:

 

 

vs {

 

name "poc2_myurl-http"

 

address 10.10.1.150:80 // http

 

monitor "custom_bigip"

 

translates to 10.10.2.150:0

 

}

 

vs {

 

name "poc2_myurl-http"

 

address 10.20.1.150:80 // http

 

monitor "custom_bigip"

 

translates to 10.20.2.150:0

 

}

 

 

Creating a topology record will select one of these two records, which I will need to make sure the local server is returned, but either selection will return the address, not the translated address. The address is unknown to the internal servers, it must get a resolution for the translated address. The *real* dns server sitting behind the GTM has views configured that hands out the correct address based on source IP. GTM can also do this, but I don't want to manage internal dns functions, I want to pass them to the name server. Most will because I am only listening for our GSLB URL's, but there is an internal need to request that URL as well, and the public address is not useful to the requesting devices. I am hopeful that I can do something like:

 

 

when DNS_REQUEST {

 

if { [IP::client_addr] equals "x.x.x.x" } {

 

release_request_to_nameserver

 

}

 

}

 

 

I have never used topology, so I'm sure I am missing something there. TIA.

 

 

Jason

 

You could just try

 

 

when DNS_REQUEST {

 

if { [IP::client_addr] equals "x.x.x.x" } {

 

forward

 

}

 

}

 

Sorry Jason, I misinterpreted your question -- I didn't realize your VS were defined w/public+private addresses, & assumed internal + external VS were in play here.

 

 

I think you are right -- when you define a "private" address in GTM, its only intended use is to allow internal communication with LTM/BIG-IP where both devices are in a private network behind a firewall, and the virtuals are NAT'd elsewhere.

 

 

(Seems like the iRule suggestion would work, but I've never used "forward" with a GTM iRule...)

 

 

/deb

Wow, amazingly simple, yet very effective... kick me now.

The forward worked perfectly:

when DNS_REQUEST {
  if { [IP::client_addr] equals "10.x.x.x" } {
    log "Internal request, forwarding to name server"
    forward
  }
}

This seems a bit of a waste of GTM's LB capabilities. You should really be able to specify that the translated addresses should be used instead of the public ones for particular source IP addressesin a rule. You could try (apologies my TCL fu is weak so the syntax might not be correct).

 

 

when LB_SELECTED {

 

if { [IP::client_addr] equals "10.x.x.x" } {

 

set addr [LB::server addr]

 

log "Internal request"

 

if { $addr equals "1.2.3.4" } {

 

node 10.2.3.4

 

}

 

elseif { $addr equals "1.2.3.5 } {

 

node 10.2.3.5

 

}

 

}

 

}

 

 

if the pool members global addresses were 1.2.3.4 and 1.2.3.5 with translation addresses 10.2.3.4 and 10.2.3.5 respectively.