Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
May 31, 2016

VIP targeting VIP, preserve src and dst IP

Hi,

 

I tried everything and nothing worked :-(. I am running out of ideas, so either I am doing something wrong or what I need is not possible.

 

Idea is to have setup like that:

 

client -> explicit forward proxy type VS -> ForwardIP type VS -> target server

 

I tried plenty of combinations to pass traffic from forward proxy VS to ForwardIP VS but all failed - virtual, nexthop with snat none, translate addr disable etc.

 

I need to pass traffic after forward proxy VS resolves destination server from proxy request to ForwardIP server. This is my idea to be able to use AFM rules to enforce limitation os src IP:port, dst IP:port (L4 rules).

 

I know that it's possible to use APM ACLs but this is not very elegant and admin friendly solution :-(

 

Everything is failing when I try to pass traffic to ForwardIP VS.

 

When virtual command is used dst IP is changed to ForwardIP VS or (when wildcard VS is used) to nothing. But at least traffic is reaching ForwardIP VS.

 

When nexthop is used traffic is never reaching ForwardIP VS.

 

When nexthop with tunnel specified (tcp forward type on which ForwardIP VS is enabled) immediately I have port exhaustion message in LTM log.

 

Is there any way to achieve what I need or it's plain impossible?

 

Piotr

 

AFM
devops
explicit forward proxy
iRules
l4 rules
preserve destination ip
vip targeting vip

3 Replies

Sort By
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Jun 01, 2016

    Hello Piotr, i think we have a current limitation for this : BUG 453354: “http explicit proxy doesn’t work when target is VIP on same box". there may be a workaround wit an irule. I test it and will update you.

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 01, 2016

    Hi,

     

    Thanks for info. Not very good news.

     

    Let's assume that I will set VS without proxy profile and then extract URL from request using HTTP:uri then disable HTTP profile using HTTP::disable (or use VS without HTTP profile at all and use TCP::collect, TCP::payload to retrieve target URL).

     

    Then I can use RESOLV::lookup to retrieve IP of the server in URL (something what is in fact implemented in HTTP profile in Explicit mode - as far as I understand).

     

    Is there any way to somehow create connection to target host via additional ForwardIP type VS?

     

    Something like:

     

    • snat none - to preserve client IP from proxy request (this frontend VS is used for switching connections between several other VSs on the same BIGIP, some of them need SNAT - so SNAT is enabled in VS config)
    • node $target_srv_ip $target_srv_port - not node existing on BIGIP but actual target server from proxy request
    • virtual $forwardip_vs - my ForwardIP VS defined on BIGIP

    Do you thing it should work in a way that ForwardIP type VS will receive TCP connection with:

     

    • src IP - IP of the client sending proxy request
    • dst IP:port - IP and port extracted from URL inside proxy request send by client

    Piotr

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 23, 2019

    Hi Piotr,

    just stumbled over this question and got an idea how this can be solved...

    You could use the 

    [sharedvar]
    command to store IP parameters on the front-ending VS and pass them to a back-ending VS in a VIP-targeting-VIP setup. Those variables could then be used for 
    snat
    and 
    node
    selection on thea back-ending VS.

    https://devcentral.f5.com/wiki/iRules.sharedvar.ashx

    Cheers, Kai