I’m trying to set up a virtual server such that, when it receives traffic for a port on the VIP that does not match any other VIP, it a) processes the traffic, and b) preserves the original client destination port when relaying the request to the backend servers. It looks like I want a wildcard VIP, but I couldn’t get anything working from the very minimal docs. Does anyone have an example of what I’m trying to do they’d be willing to share?
hello here is an example configuration below, A Wildcard VIP is used to load balance proxy servers. You can use an ACL to block any unwanted traffic from the wildcard VIP.
!
access-list 101 deny ip any 170.235.0.0 0.0.255.255
access-list 101 deny ip any 10.0.0.0 0.0.0.127
access-list 101 deny ip 10.32.35.240 0.0.0.7 any
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 443
!
!
slb server Proxy-0 10.0.0.100
port 80 tcp
port 443 tcp
!
slb server Proxy-1 10.0.0.101
port 80 tcp
port 443 tcp
!
!
slb service-group Proxy80 tcp
method least-connection
member Proxy-0:80
member Proxy-1:80
!
slb service-group Proxy443 tcp
method least-connection
member Proxy-0:443
member Proxy-7:443
!
!
slb template tcp TCP_Idle
idle-timeout 300
reset-fwd
reset-rev
!
slb template persist source-ip SIP-Persist1
match-type server
!
!
slb virtual-server VIP-Proxy 0.0.0.0 acl 101
ha-group 1
port 80 tcp
name _wildcard_v4_101_TCP_80
service-group Proxy80
use-rcv-hop-for-resp
use-default-if-no-server
template tcp TCP_Idle
template persist source-ip SIP-Persist1
port 443 tcp
name _wildcard_v4_101_TCP_443
service-group Proxy443
use-rcv-hop-for-resp
use-default-if-no-server
template tcp TCP_Idle
template persist source-ip SIP-Persist1
!
!
Thanks, but that doesn’t quite look like what I’m going for. That looks like it’s handling specific ports on a wildcard IP, while what I want is the inverse - I want a specific IP address to handle any tcp port, and pass it to the selected backend server unmodified.
Hello on that case you can use the following example Port 0 or others can be defined.
slb virtual-server VIP-Proxy 10.10.10.1
ha-group 1
port 0 tcp
Something like this would work. This will do destination NAT to the server, but will not change the destination tcp or udp port. If you require only tcp you can remove the udp and others configuration. Others will load balance all protocols other than tcp and udp. If you have ICMP health checks disabled you may have to add a health check to each server.
!
slb server s1 10.2.1.10
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb server s2 10.2.1.11.11
port 0 tcp
no health-check
port 0 udp
no health-check
!
slb service-group _tcp_0_sg tcp
member s1:0
member s2:0
!
slb service-group _udp_0_sg udp
member s1:0
member s2:0
!
slb virtual-server All_Ports_vs 10.1.1.10
port 0 tcp
name \_10.1.1.10\_TCP\_0
service-group tcp\_0\_sg
port 0 others
name \_10.1.1.10\_Others\_0
service-group tcp\_0\_sg
port 0 udp
name \_10.1.1.10\_UDP\_0
service-group udp\_0\_sg
!
Fsweetser,
Try searching for Outbound Link Load Balancing in the documentation. 
There is a pretty good example. I have to build this up for a customer today and will post an example later.
Best regards,
ToddH
The example config above is perfect, but you need to add the “no-dest-nat” to the VIP ports.
-ToddH-
Thanks, that gets me 98% of the way there! The last missing bit now, though, is that port 0 only seems to work when configured as TCP, but I need mine as HTTPS, since I have to do cookie persistence and an aFlex URL rewrite. Is there some other trick required to get it working as an HTTPS port?
Fsweetser,
SSL termination is not possible with a wildcard VIP using no-dest-nat. You may be able to use a VIP with a subnet range and IP-Header insert (x-forwarded-for). I would recommend contacting your SE and working out a solution that meets your needs. There are plenty of options available.
Best regards,
-ToddH-
I don’t think it’s the no-dest-nat, as I actually had a mostly working config with port 0 and without no-dest-nat. I’m in a one-armed config, so I do actually need NAT enabled. It looks like it’s the port 0 that’s conflicting for me. I’ll follow up with my SE now that I have a better idea of what I’m looking for. Thanks!