Forum Discussion

mr_evil_116524's avatar
mr_evil_116524
Icon for Nimbostratus rankNimbostratus
Sep 20, 2013

Question about vLAN isolation iRule

I have a simple iRule as follows:

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals x.x.x.x/xx] }{

 

            Uncomment the line below to turn on logging.
            log local0.  "accees not allowed: [IP::local_addr]:[TCP::local_port] - reject traffic"
            reject
    } else {

          snat using this source address
                snatpool pool_1
                log local0. "SNATed, [IP::local_addr]:[TCP::local_port] --> [IP::local_addr]:[TCP::local_port]"
    }

}

So idea above is if vLans you belong to a subnet you will NOT be able to talk other vLan, this rule does work but I dont know for some reason F5 is allowing ICMP pass through between vLANs but not if I try to do say telnet to port 3389 or 22 from vlAN Y to vLAN W it doesnt work (this is what I expect).

 

Does anyone know why ICMP is allowed through eventhough rule says to reject or ICMP require extra bit of code to be added.

 

Do not that this iRule is applied to a forwarding VS where is source is 0.0.0.0/0 and destination is also 0.0.0.0/0

 

5 Replies

  • Perhaps this article can help https://devcentral.f5.com/s/feed/0D51T00006i7V0fSAE -=Bhattman=-
  • Perhaps this article can help

     

    https://devcentral.f5.com/questions/block-icmp-for-virtual-serversas

     

    -=Bhattman=-

     

  • Can you prove by tcpdump the ICMP is passed through to the other VLAN?

     

    Is it SNATed? Depending on S/W version there may be different behaviour for so called default SNATs.

     

    Personally I try to avoid them and to use SNATpools or SNAT AutoMap in combination with virtual server configuration. What S/W version are you running?

     

  • Hello All,

     

    It appears this is a an issue with version 11.3.xx. I have upgraded to version 11.4.1 and I can see the iRULE is working as expect and it does not allow ICMP traffic flow from vLAN A to vLAN B

     

    Thanks