What am I doing wrong with this network configuration for KVM (F5 virtual edition)
Hello, I have been trying to setup an F5 lab using KVM on debian. I currently have the following network configuration (/etc/network/interfaces - see output pasted at end of post) although whenever I go to create the VM in KVM, only one tap is associated with the bridge (trying to use the taps for management, external, and internal interfaces on the F5 VM). (see screenshot at end of post) Would anyone have any suggestions for configuring networking properly for this setup? I'm open to anything at this point in time. Thanks for your help. source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug eth0 iface eth0 inet dhcp iface eth0 inet6 auto auto br0 iface br0 inet dhcp pre-up ip tuntap add dev tap0 mode tap user root pre-up ip tuntap add dev tap1 mode tap user root pre-up ip tuntap add dev tap2 mode tap user root pre-up ip link set tap0 up pre-up ip link set tap1 up pre-up ip link set tap2 up bridge_ports all tap0 tap1 tap2 bridge_stp off bridge_maxwait 0 bridge_fd 0 post-down ip link set tap0 down post-down ip link set tap1 down post-down ip link set tap2 down post-down ip tuntap del dev tap0 mode tap post-down ip tuntap del dev tap1 mode tap post-down ip tuntap del dev tap2 mode tap259Views0likes1CommentCreated new vcmp guest with initial image 11.5.1, but sys software shows version 11.4.1
Hi, I just created a new vcmp guest using the initial image BIGIP-11.5.1.0.0.110.iso, after provisioning and deployment, from the Hypervisor dashboard I see that the initial image and hotfix are correctly applied. However, from the CLI tmsh, the output is different. How is this possible? What am I missing? [root@lb2-a-vm9:/S2-green-P:Active:Standalone] log tmsh root@(lb2-a-vm9)(cfg-sync Standalone)(/S2-green-P:Active)(/Common)(tmos) show sys software ------------------------------------------------------- Sys::Software Status Volume Slot Product Version Build Active Status ------------------------------------------------------- HD1.1 2 BIG-IP 11.4.1 647.0 yes complete HD1.2 2 none none none no complete HD1.3 2 none none none no complete Below is a snampshot of the Hypervisor vcmp guest showing the image:370Views0likes6CommentsReverse proxy using DNS resolution?
I’m looking for options to create Virt (+iRule) on F5 that can process incoming connections with following logic: Resolve destination host of the request using specified DNS server Proxy request to result server (if DNS query were successful) Nginx configuration of that logic (works currently) looks like this: server { listen 80; server_name _; location / { resolver ; proxy_pass http://$host:$request_uri; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Server; } } This configuration, coupled with wildcard domain record, gives nice a quick way to create Public Access Endpoint to some dynamic cloud boxes… blabla1.publicdomain.com blabla2.publicdomain.com *.publicdomain.com - public DNS record pointing to the VIP blabla1/blabla2 - gets resolved on private DNS (which gets updated during VM creation)209Views0likes1CommentBIGI LTM VE qcow2 image - Shared directory too small for upgrade
We are in the process of migrating our servers from BIGIP 11.3 to 11.6. I am trying a test upgrade with the BIGIP-11.3.0.39.0.qcow2 image. However, the /shared directory is too small to hold the 11.6 image (over 1GB) for the upgrade procedure. [root@localhost:Active:Standalone] config df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg--db--hda-set.1.root 380M 187M 174M 52% / /dev/mapper/vg--db--hda-set.1._config 477M 15M 438M 4% /config /dev/mapper/vg--db--hda-set.1._usr 2.2G 1.4G 746M 65% /usr /dev/mapper/vg--db--hda-set.1._var 477M 160M 293M 36% /var /dev/mapper/vg--db--hda-dat.share.1 485M 37M 423M 9% /shared /dev/mapper/vg--db--hda-dat.log.1 485M 28M 432M 6% /var/log none 502M 708K 501M 1% /dev/shm none 502M 4.9M 497M 1% /var/tmstat none 502M 1.3M 501M 1% /var/run prompt 4.0M 28K 4.0M 1% /var/prompt Can anyone tell me how to increase the /shared directory? From 11.5 the tmsh modify sys disk directory command is available, but I haven't found anything for 11.3. Thanks for any help you can offer. Steve374Views0likes1CommentUDP Payload replace destination IP with iRules
Hi Community, i want to ask you if is it possible to replace the destination IP of the UDP Payload i think that it might be like this : scan [IP::local_addr] "%d.%d.%d.%d" a b c d set ww [IP::local_addr] "1.1.$c.$d" set xx [binary format c4 $ww] UDP::payload replace 0 0 $xx375Views0likes14CommentsAutomatic Licensing via Proxy
Hi all. Is this actually possible? I'm trying to license automatically (via API) and despite setting this; tmsh modify sys db proxy.host value hostname 'host_name' tmsh modify sys db proxy.port value port_number 8080 and doing this in bash; export http_proxy=/">/ export https_proxy=/">/ I'm not getting anywhere. Initially DNS lookup was failing (shouldn't be used via a proxy right). To fix that I did this; modify sys global-settings remote-host add { activate.f5.com { addr 208.85.210.4 hostname activate.f5.com } } I now don't see errors of any kind in /var/log/ltm but a tcpdump filtering on the proxy and 208.85.210.4 address doesn't produce any output. Am I missing something?1.1KViews0likes11Commentsblocking port 80 with a policy at the global level not working
Hi, I am trying to block port 80 on bigip AFM using following rule. But some reason its not getting hit. curl -sk -u admin:admin https://192.168.6.158/mgmt/tm/security/firewall/policy/ocpolicy/rules -H 'Content-Type: application/json' -X POST -d '{"name": "dport80","action": "drop","ipProtocol": "tcp","place-before": "first","destination": {},"source": {"ports": [{"name": "80"}]}}' If I apply a rule saying block tcp protocol it just works fine. curl -sk -u admin:admin https://192.168.6.158/mgmt/tm/security/firewall/policy/ocpolicy/rules -H 'Content-Type: application/json' -X POST -d '{ "name":"dtcp","action":"drop","ipProtocol":"tcp","place-before":"first","destination":{},"source":{}}' I am using the BIG IP in a l2 bridge mode, I have 2 vlans and created a vlan group and added a self IP to vlan group.296Views0likes1CommentCannot rewrite response.redirect using iRules
Hello all Overview: In a hosted environment, the edge is controlled by the Hosting company F5. This F5 terminates HTTPS and forwards HTTP to our virtual F5. This is running 11.6. Only HTTPS is allowing on the edge. For the incoming request, we rewrite the hostname as the downstream server requires a specific host name binding to work. For the response, we re-write any HTML links to match the external URL and also enforce https:// on the front of the URL. This is working, except for response.redirect. For some reason these are not getting re-written and we cannot pinpoint why these are being missed. We have try using STREAM and HTTP::payload re-writing, but in each case the response.redirect is not rewritten. As such we can see the client attempts to connect to HTTP and this is blocked. Here are the 2 iRules we have tried: iRULE using STREAM when HTTP_REQUEST { Rewrite host HTTP::header replace Host test.apply.site.com Disable the stream filter for all requests STREAM::disable Prevent server from sending compressed response HTTP::header remove "Accept-Encoding" Don't allow data to be chunked if { [HTTP::version] eq "1.1" } { Force downgrade to HTTP 1.0 but still allow keep-alive Check if this is a keep alive connection if { [HTTP::header is_keepalive] } { Replace the connection header value with "Keep-Alive" HTTP::header replace "Connection" "Keep-Alive" } Set server side request to version 1.0 to force server to respond without chunking HTTP::version "1.0" } } when HTTP_RESPONSE { log local0. "HTTP_RESPONSE_BEFORE: [HTTP::payload]" Check response type is text if {[HTTP::header value Content-Type] contains "text"}{ Replace http:// with https:// STREAM::expression {@http://@https://@} Enable the stream filter for this response only STREAM::enable log local0. "HTTP_RESPONSE_AFTER: [HTTP::payload]" } } when STREAM_MATCHED { log local0. "STREAM_MATCHED: [STREAM::match]" } iRULE using HTTP::payload rewrite: when HTTP_REQUEST { Rewrite host HTTP::header replace Host test.apply.site.com Prevent server from sending compressed response HTTP::header remove "Accept-Encoding" Don't allow data to be chunked if { [HTTP::version] eq "1.1" } { Force downgrade to HTTP 1.0 but still allow keep-alive Check if this is a keep alive connection if { [HTTP::header is_keepalive] } { Replace the connection header value with "Keep-Alive" HTTP::header replace "Connection" "Keep-Alive" } Set server side request to version 1.0 to force server to respond without chunking HTTP::version "1.0" } } when HTTP_RESPONSE { Check response type is text if {[HTTP::header value Content-Type] contains "text"}{ Determine how much content to collect (no more than 1MB) if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { Only collect first 1MB for response (SOL6578) set content_length 1048576 } if { $content_length > 0 }{ Trigger collection of payload HTTP::collect $content_length log local0. "[IP::client_addr]:[TCP::client_port]: Collecting content: $content_length" } } } when HTTP_RESPONSE_DATA { log local0. "[IP::client_addr]:[TCP::client_port]: ORI Payload: [HTTP::payload]" Replace http: https: set newdata [string map {/http:/ /https:/} [HTTP::payload]] log local0. "[IP::client_addr]:[TCP::client_port]: MOD Payload: [HTTP::payload]" HTTP::payload replace 0 $content_length $newdata HTTP::payload replace 0 $content_length $newdata } What are we missing..? Any help would be great. Thanks in advance220Views0likes2CommentsVariable Scope in iRules
Hello I’ve got a quick question regarding variables in iRules. I would like to set variables to use across different functions in an iRule but struggling to find out what I need to do to make a variable available in the scope of the entire iRule. For example: I want to set TEST once at the top of an iRule, but if I set this like shown below, I get [command is not valid in the current scope] set TEST 1 when HTTP_REQUEST { if { $TEST } { do something } } When HTTP_RESPONSE { if { $TEST } { do something } } Thanks306Views0likes3Comments