Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jun 15, 2015

irule to change source port

Hi,

 

I tried to find something in existing posts but failed. My issue is how to change source port of client side connection:

 

  • VS is accepting responses from www server (so from port 80) on internal (wildcard VS no address and port translation)
  • Source port (80) should be changed to some other port on the external VLAN

www server to VS

 

IP_WWW:80->IPClient_high_port (entering LTM on internal)

 

VSSNAT:99->IPClient_high_port (leaving LTM on external)

 

so src port changed from 80 t0 99

 

Piotr

 

16 Replies

  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus

    Are you sure the source port is 80? Normally the port 80 is the target port (that is destination) for http traffic and the source port is is a random high port.

     

  • Yes, I am sure. This is kind of nPath config where connection is entering DC via one BIG-IP cluster and leaving via another. Each cluster is seeing just half of the connection. I am trying to find solution for situation when entry cluster is using VS with port translation, so VS is listening on port 80 but pool members on for example 8080. Then connection leaving DC via another cluster is sourced from different port than was target for entering connection - in the end connection is reset because of port mismatch. I need to intercept leaving packets (via wildcard or other VS) and translate source port back to 80. Figured out address translation using SNAT pool but I am stuck with source port.

     

    Piotr

     

  • i think you have to create 2 virtual servers; one for request and the other one for response. each virtual server uses profile with immediate timeout (stateless) because if it is not stateless, response will not hit the response virtual server (it will hit existing connection entry in connection table), so you cannot control source port.

     

    to change source port, you may try snat command but please be noted that the source port you want may not be available on that tmm depending on disaggregation method system uses e.g. source port xor destination port.

     

    snat

     

    https://devcentral.f5.com/wiki/iRules.snat.ashx

     

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      sorry i forgot. since profile idle timeout is immediate, it seems you can use whatever port you want.
  • i think you have to create 2 virtual servers; one for request and the other one for response. each virtual server uses profile with immediate timeout (stateless) because if it is not stateless, response will not hit the response virtual server (it will hit existing connection entry in connection table), so you cannot control source port.

     

    to change source port, you may try snat command but please be noted that the source port you want may not be available on that tmm depending on disaggregation method system uses e.g. source port xor destination port.

     

    snat

     

    https://devcentral.f5.com/wiki/iRules.snat.ashx

     

    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      sorry i forgot. since profile idle timeout is immediate, it seems you can use whatever port you want.
  • @nitass, I know how to do asymmetric routing part (thanks to you :-). It is of course based on two VSs, one per cluster. I am struggling with part related to outgoing VS iRule. Form your answer it seems that isted of configuring SNAT using VS options I should do it in iRule using SNAT command. I am not yet to fluent is this part so if you can post some iRule for that I will appreciate it a lot. I doubt there will be problem with port already used as this is answer to client call so tuples should be different.

     

    Piotr

     

  • i do not have asymmetric routing in lab. what i am doing here is to snat to specific port number.

    my bigip has 2 tmm. virtual server and pool member ports are 80. so, normally if source port on client-side is even, server-side will be even too. this make sure response will hit the same tmm it is sent out (by default, tmm is chosen by source port xor destination port).

    anyway, it seems that when profile idle timeout is immediate, i am able to use whatever source port number on server-side (no need to be odd or even port number as source port on client-side).

     configuration
    
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            fastl4_immediate { }
        }
        rules {
            qux
        }
        source 0.0.0.0/0
        vs-index 11
    }
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
        when CLIENT_ACCEPTED {
      snat 200.200.200.88 1111
    }
    }
    
     trace
    
    [root@ve11c:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
    02:34:20.455993 IP 172.28.24.1.1000 > 172.28.24.10.80: S 1290584564:1290584564(0) win 512 in slot1/tmm0 lis=
    02:34:20.456085 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1290584564:1290584564(0) win 512 out slot1/tmm0 lis=/Common/bar
    
    02:34:21.457089 IP 172.28.24.1.1001 > 172.28.24.10.80: S 1397167148:1397167148(0) win 512 in slot1/tmm1 lis=
    02:34:21.457178 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1397167148:1397167148(0) win 512 out slot1/tmm1 lis=/Common/bar
    
    02:34:22.458724 IP 172.28.24.1.1002 > 172.28.24.10.80: S 1258304707:1258304707(0) win 512 in slot1/tmm0 lis=
    02:34:22.458821 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1258304707:1258304707(0) win 512 out slot1/tmm0 lis=/Common/bar
    
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Thanks a lot. Will test it tomorrow. Not sure yet what is importance of timeout but probably will find out by trial and error :-) Do you think it matters when different clusters are processing incoming and outgoing traffic? BTW is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? Whole setup is created in relation to using AFM module and implementing firewall solution with asymmetric routing option. Piotr
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      >Do you think it matters when different clusters are processing incoming and outgoing traffic? i cannot say if it is right/wrong or should/shouldn't but i think it can be done. >is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? i do not know the reason why snat command is not available in FLOW_INIT. if you have a good use case, you can raise request for enhancement via support case. :-)
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      OK, will see if it works, I did not say it won't because I did nt have yet chace to test. Thanks a lot, it's always great to have help from you! Piotr
  • i do not have asymmetric routing in lab. what i am doing here is to snat to specific port number.

    my bigip has 2 tmm. virtual server and pool member ports are 80. so, normally if source port on client-side is even, server-side will be even too. this make sure response will hit the same tmm it is sent out (by default, tmm is chosen by source port xor destination port).

    anyway, it seems that when profile idle timeout is immediate, i am able to use whatever source port number on server-side (no need to be odd or even port number as source port on client-side).

     configuration
    
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            fastl4_immediate { }
        }
        rules {
            qux
        }
        source 0.0.0.0/0
        vs-index 11
    }
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
        when CLIENT_ACCEPTED {
      snat 200.200.200.88 1111
    }
    }
    
     trace
    
    [root@ve11c:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
    02:34:20.455993 IP 172.28.24.1.1000 > 172.28.24.10.80: S 1290584564:1290584564(0) win 512 in slot1/tmm0 lis=
    02:34:20.456085 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1290584564:1290584564(0) win 512 out slot1/tmm0 lis=/Common/bar
    
    02:34:21.457089 IP 172.28.24.1.1001 > 172.28.24.10.80: S 1397167148:1397167148(0) win 512 in slot1/tmm1 lis=
    02:34:21.457178 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1397167148:1397167148(0) win 512 out slot1/tmm1 lis=/Common/bar
    
    02:34:22.458724 IP 172.28.24.1.1002 > 172.28.24.10.80: S 1258304707:1258304707(0) win 512 in slot1/tmm0 lis=
    02:34:22.458821 IP 200.200.200.88.1111 > 200.200.200.101.80: S 1258304707:1258304707(0) win 512 out slot1/tmm0 lis=/Common/bar
    
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Thanks a lot. Will test it tomorrow. Not sure yet what is importance of timeout but probably will find out by trial and error :-) Do you think it matters when different clusters are processing incoming and outgoing traffic? BTW is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? Whole setup is created in relation to using AFM module and implementing firewall solution with asymmetric routing option. Piotr
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      >Do you think it matters when different clusters are processing incoming and outgoing traffic? i cannot say if it is right/wrong or should/shouldn't but i think it can be done. >is that possible to use SNAT in FLOW_INIT event, or maybe there is no reason or sense for that? i do not know the reason why snat command is not available in FLOW_INIT. if you have a good use case, you can raise request for enhancement via support case. :-)
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      OK, will see if it works, I did not say it won't because I did nt have yet chace to test. Thanks a lot, it's always great to have help from you! Piotr
  • @nitass, Thanks a lot for help with iRule, working like a charm :-)

     

    I just figured out that I am not sure what did you meant by:

     

    "sorry i forgot. since profile idle timeout is immediate, it seems you can use whatever port you want" - you mean fastL4 Idle Timeout? I changed it to 51 (I think it was advised in some SOL for TCP - or maybe UDP - have to check it). Anyway it's not immediate but whole setup still seems to be working without problem.

     

    Piotr