Irules and Internet connections for Servers with non-routable IP addresses

Question

Hi all, 
&nbsp;  
&nbsp; I have a situation I'm trying to address via an iRule on the BigIP, and wanted to see what you think. 
&nbsp;  
&nbsp; We have an internal vlan routed by an F5 that consists of private, non-routable ip addresses, for servers that don't need to reach out beyond the campus network. We have a number of servers in that vlan that are not load-balanced at present--they need to be in that vlan as they use multicast to communicate with servers in the vlan that are load-balanced.  When they do need to reach out to other servers on campus, communications flow through a wildcard virtual server, as do incoming connections from campus servers. When this was originally set up, we told the customers' developers to test the setup and make sure everything they needed--which of course they failed to do. 
&nbsp;  
&nbsp; It turns out that every so often, applications on these servers initiate a connection out to the Internet and download some inventory information--a function which is now broken. FYI, though it does not matter at present--the return connection is apt to come in on any port. 
&nbsp;  
&nbsp; I think I can address this for each of the servers by putting them in a pool and setting up an iRule based on the destination ip address of the outgoing connection from the servers in the internal vlan--campus ip addresses are sent to the wildcard router, and outside ip addresses are sent to a virtual server on the external vlan, SNAT'ed to a public IP, and set out to the internet. 
&nbsp;  
&nbsp; What I asking you all is--Is that possible?  What else might I need to set up for this to work? 
&nbsp; Thanks, 
&nbsp;

hooleylist · Answer

Which protocols are the servers using when acting as clients and originating connections to the internet?  Is it active FTP or another protocol where the server tries to originate a connection? 
&nbsp;  
&nbsp; If not, I'd think you could use a forwarding network virtual server enabled only on their VLAN with SNAT automap enabled.  The servers or any other host on that VLAN would then be able to originate connections out to any outbound VLAN using the floating self IP on the egress VLAN. 
&nbsp;  
&nbsp; Aaron

sstafford · Answer

We've just run across this, but there's a number of protocols that the servers in question use.  Off the top of my head there will be FTP, HTTP, HTTPS, Oracle and MySQL, just for starters--not all from the same server.  The servers in question are already using a forwarding network virtual server for campus connections, which for various reasons can't be snatted.  
&nbsp;  
&nbsp; I keep referring to  forwarding network virtual servers  as wildcard servers, since that's how they were introduced to me--apologies

hooleylist · Answer

You'll need something between the servers (acting as clients) and the internet to perform source address translation.  Is the existing VIP defined as 0.0.0.0:0?  Could you use the existing forwarding network VIP, but use an iRule to selectively enable SNAT for non-local subnets (or disable SNAT for local subnets)?   
&nbsp;  
&nbsp; To support active FTP, you'll need to configure a custom FTP-only 0.0.0.0 VIP. 
&nbsp;  
&nbsp; Aaron

sstafford · Answer

The existing VIP is defined as 0.0.0.0:0, so that's what I'm trying at the moment, assuming that IP::remote_addr contains the destination IP address. There's an example from the architectiing class  that I'm trying to modify.

when CLIENT_ACCEPTED {      
      check to see if client ip is in the class      
      if { [matchclass [IP::client_addr] equals $:: PrivateOnCampus] } {      
      Check to see if the remote_addr is in the class      
      if { [matchclass [IP::remote_addr] equals $:: OffCampusServers] } {      
      if both of the above are correct, snat it      
      snat 152.xxx.xxx.xxx      
      } else {      
      if no match forward without address rewrite.      
      forward      
      }      
      }      
      }      
            
      I've replaced the snat and forward statements above with logging statements, so I can see first what the traffic looks like.

sstafford · Answer

Ok, think I've got it.

when CLIENT_ACCEPTED { 
 check to see if client ip is in the class 
 if { [matchclass [IP::client_addr] equals $::privateOnCampus] } { 
 Check to see if the remote ip is in the class 
 Since this is an outgoing connection, it will use IP::local_addr 
 if { [matchclass [IP::local_addr] equals $::offCampusServers] } { 
 if both of the above are correct, log it, and snat it 
 log local0. "Match [IP::client_addr] server [IP::local_addr]" 
 snat 152.19.240.2 
 } else { 
 if no match forward without address rewrite. 
 forward 
 }  
 }  
 }

Forum Discussion

Irules and Internet connections for Servers with non-routable IP addresses

6 Replies

Recent Discussions

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

CGNAT with DS-lite and LSN

Related Content

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

SNAT IP address logging

Troubeshooting website connection

Securely connecting Kubernetes Microservices with F5 Distributed Cloud