Redirect to DMZ instead to Internet for a specific website

Question

Hi Guys,&nbsp;
I a thinking of creating an iRule that would direct the user traffic to DMZ instead of going to the internet for a specific website (company portal). LTM is configured with 3 VLANS (dmz, internet and user)&nbsp;
 &nbsp;
when HTTP_REQUEST {&nbsp;
company portal is accessible both public and local &nbsp;
if { [HTTP::host] eq "www.portal.com" } {&nbsp;
pool DMZ_Pool }&nbsp;
if not, traffic will go to the internet via default pool of VS&nbsp;
}&nbsp;
I haven't tried this but would there be an issue since DNS will see the website address as public ip but it will be routed to local server?&nbsp;
 &nbsp;
Any suggestion to do this? I have seen something like DNS_REQUEST but not sure of to use it&nbsp;
thanks&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;
 &nbsp;

what_lies_bene1 · Answer

OK, so is this internal users going outbound? The clients resolve the IP via DNS (is the IP a public IP?) and the traffic hits the F5 on the user VLAN yes? 
&nbsp;  
&nbsp; What's the Virtual Server setup? 
&nbsp;  &nbsp;

jake_macabuag_4 · Answer

yes, internal users going outbound hitting the F5. the DNS is public ip since users are accessing it also on the outside. The reason for doing this so that LAN users don't have to use a different URL whenever they access the site, whether inside or outside the office. They will just use one URL and it will be F5 who does the controlling&nbsp;
&nbsp;
vs_outbound something like 0.0.0.0:any&nbsp;
pool default_gateway_pool (going to internet)&nbsp;
vlan listening on both user_vlan and dmz_vlan&nbsp;
snat automap&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;
vs_portal 121.x.x.x:80&nbsp;
pool webportal (going to DMZ)&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;
 &nbsp;

what_lies_bene1 · Answer

OK, thanks. The iRule won't work if the Virtual Server type is anything other than Standard, which I suspect yours is not, it'll also require a HTTP Profile to be assigned. 
&nbsp;  
&nbsp; You have a couple of options I think; 
&nbsp; 1) Change your internal DNS (assuming it's separate to the external) to point to a new Virtual Server with some sort of valid internal address, that points to the DMZ servers 
&nbsp; 2) Create a separate Virtual Server using the public IP, enable it only on the user VLAN, assign your pool of DMZ servers. I know this sounds like it won't but it will work. VS IPs do not need to be tied to Self IPs/physical interfaces in any way, as long as the client requests are routed to the F5 (rather than the client ARPing).

what_lies_bene1 · Answer

In either case, no need for an iRule (or even the HTTP Profile).

jake_macabuag_4 · Answer

i have additional virtual server 0.0.0.0:80 (standard) using http profile. i map the irule but havent tested it yet.  
&nbsp;  
&nbsp; regarding your suggestion 2. I have been thinking about that and thanks for clarifying that it not be tied to the subnet of selfip/vlan. I'll try this one 
&nbsp;  
&nbsp; many thanks

Forum Discussion

Redirect to DMZ instead to Internet for a specific website

7 Replies

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

irule to Redirect client from specific Public IP to a specific node

Protect an application exposed on Internet with F5 XC WAAP

Anchor Link Redirect

F5 APM VPN Choking Internet Bandwidth

find specific SNMP OID