Trying to use "Multiply port per ip" from pool on the general tab of settings, but requests go only through 1 IP.
First make sure you have a pool of at least 20 IPs in your zone.
When you select 'Multiply port per IP' there should be a pop up allowing you to select which IPs you want to assign.
Go back to the 'general' screen, you should see the port is now 24000:1..20. Click the tiny dropdown button next to the port to reveal ports 24000 through 24020, each will have it's own unique IP.
Related
I want to block a program from accessing the local server "local host" (On windows) temporary so i can test random disconnections cases ... I tried adding a (rule) to the firewall for disabling both inbound and outbound in all networks types but the program just got block from accessing the internet not the local network
Moving on to an answer instead of a comment - nevertheless, more information on your use-case is greatly appreciated;
I think it is impossible to block access to localhost but allow internet access. Two reasons:
Networking works on different layers ("OSI layers") and localhost communication is looped back before firewall might filter (see ). Not so sure on this though.
localhost communication might be "basic" in a way that it is necessary for applications when they want to communicate via network.
UPDATE after OPs comment
I assume you are on Windows 10, and you know the path to the executable of the program you want to block.
Open "Windows Defender Firewall with Advanced Security".
On the left side, go to "Outbound Rules".
Then, on the right side click on "New Rule...".
A new window will open; Leave "Program" selected and click "Next".
Next to "This program path:" is a Button "Browse..." - select your program here. Click "Next..."
Select "Block the connection", then "Next...".
Select all three; Domain, Private and Public.
After click "Next..." choose an appropriate name, then click "Finish".
From now on, you can disable/enable this rule as you see fit.
Kinda hard to provide detailed answer having only the information you've provided, but I think this scenario can be easily tested with simple containers configuration: having both program under test and "localhost" service running in containers, you can randomly update container's network configuration to simulate connectivity issues.
You can use a reverse proxy like Fiddler and block all requests coming from this application to localhost.
If I understood what you mean then this will do:
To create a rule, select the Inbound Rules or Outbound Rules category at the left side of the window and click the Create Rule link on the right side. The Windows firewall offers four types of rules: Program – Block or allow a program. Port – Block or allow a port, port range, or protocol.
if you are using a third party anti-virus solution with a built-in firewall, go to the firewall option and black list/disable/prevent internet access to your app
Otherwise, disabling your firewall will not stop any access, as it will allow inbound and outbound traffic. you can prevent specific ports but disabling the firewall wall will not only do what mentioned before but it will also leave your device vulnerable for online threatts
Try these 3 simple steps.
run your program
Open cmd ( please check you need admin access for this, if yes then run as admin)
Run the following command to see at which port the localhost is listening.
netstat -ano | findstr :
e.g (if your localhost is listening at port 3900 the command will be as follow;
netstat -ano | findstr :3900
the result will be shown on cmd console, the last column is PID (Process id)
We will just kill that process which will eventually stop the localhost server to listen any request from any source.
taskkill /PID /F
< PID > that you will get from above command.
in this case, only the localhost will stop it's service, but you application will keep communicating to outer network, internet.
I've tried many tutorial how to block any website using layer 7 protocol. I need to block any social media website in office hour. But for the very first time, i've already done it but i still can access the website for example facebook.com.
This is my screenshoot :
Filter number 15 is what im trying to do but didn't work.
This is my layer 7 regexp
This is number 15 filter rules detail
Could you help me ?
You need to first disable ip\settings fast path.
/ip settings set allow-fast-path=no
Then, move your rule up, above fasttrack rule.
I'm not sure you can do it this way, because layer7 filter looks INTO the packets, not the destination URL; as Facebook/Youtube traffic is encrypted, layer7 filter sees nothing but encrypted stuff.
So you can't block traffic dynamically but you can block IPs this way:
Create a script which resolves www.facebook.com to an IP, and put this IP into an address list.
Schedule this script every minute or so.
Add a firewall rule to drop forwarded traffic to this address list.
You can also use the Mikrotik built-in DNS server, set your hosts to use it, and statically set www.facebook.com to 127.0.0.1. Your clients will be unable to connect to the real facebook (IF they are using your DNS).
I have a dedicated windows 2012 server with 12 dedicated IPs.
I want to be able to make connections simultaneously from two different ips that I choose.
This will be used for two different browser applications.
I have tried the following:
ForceBindIP %IP_ADDRESS% %APP_EXE%
But the IP doesn't change, the browser always displays the lowest IP from my added range.
I have also experimented with a script that removes all the ips, and then just adds one.
netsh interface ipv4 delete address "Ethernet" 104.251.111.110
netsh interface ipv4 delete address "Ethernet" 104.251.111.111
netsh interface ipv4 delete address "Ethernet" 104.251.111.112
netsh interface ipv4 delete address "Ethernet" 104.251.111.114
....
netsh interface ipv4 add address "Ethernet" 104.251.111.115 255.255.255.0
This changes the address BUT I end up having only one IP for both applications.
If the applications you intend to use doesn't support binding to interfaces/ip (true, it's uncommon), you can use SOCKS or Proxy software (which is a lot more common, especially browsers).
For instance you could install WinGate or Squid http://www.squid-cache.org (which is the one I know most).
Squid-Cache have the ability to bind to different outgoing addresses based on rules (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ ).
Basically what you need to do is:
install Squid
add ACL for loopback IP mapping, such as:
acl IP110 src 127.0.0.1/32
acl IP111 src 127.0.0.2/32
[...]
tcp_outgoing_address 104.251.111.110 IP110
tcp_outgoing_address 104.251.111.111 IP111
[...]
And the default, which is just formally needed:
tcp_outgoing_address 104.251.111.110
Each application will then need to be configured with a Proxy (or SOCKS, if you go that way), which is a configuration option most commonly available. On the proxy configuration set the corresponding local IP:
for outgoing connection using IP .111, use proxy on 127.0.0.2
for outgoing connection using IP .110, use proxy on 127.0.0.1
.. and so on.
Make sure Squid (or WinGate) bind to localhost 127.0.0.1/24, so you shouldn't have big security concerns, but if this is exposed on internet you may want to proceed to security assessment anyway.
This way if you decide to offload some application remotely, to other server, you can still manage to use the same outgoing IP(s), you just need to change squid configuration to allow external connection, which could be a big plus for scaling.
It looks like you're searching for a fix involving little rework of the browser applications. Assuming that you're using IIS to serve the applications, you should:
Using File Explorer or command line, soft-link the application configuration in another root folder for each instance of the browser application.
Using IIS, recreate the application as a site for each of the above browser application folders.
Using IIS, bind each instance of the browser application to the IP address you wish to serve it with.
Caveat: It's tempting to use the same app pool for all instances, but evaluate your hardware before! Remember that (depending on the application requirements) you create a single point of failure when using a single app pool. Create separate app pools with identical parameters to reduce this risk.
I'm looking for a way to monitor requests / responses timing in real time.
how many requests are processing right now, and for how long each request being processed ( when started, which pool / server )
is there a way to push / pull information from F5 when a request start processing and finished processing to/by external tool to show this information in real time ?
are there tools allowing to do this with F5 load balancers or other http load balancers ?
TIA.
If I understand your question properly, I think what you should be looking to do is either a tcpdump or use the CS-Command that generates a tabular
output and gives you information on the following:
When using the tcpdump in this case, you may want to include the option were the output is written to a file. I recommend this because
you can examine this file with ethereal which is a bit more user friendly and enables you to filter on a lot more things you might
be in search of. The syntax to do this is as follows:
USING TCPDUMP
tcpdump -vvni 0.0:nnn -s0 host 1.1.1.1 or host 2.2.2.2 or host 3.3.3.3 -w /var/tmp/FILENAME.pcap
OR
tcpdump -nvvv -i any -c 20 '((port 80 or port 443) and (host 10.0.3.169 or host 10.0.3.1)) and dst host 10.0.3.246' > FILENAME
The tcpdump should be used cautiously, it uses system processor cycles if not used well.
NOTE: The ( -c 20) above in the command will output only 20 lines of the result, without this switch, an endless stretch of output is obtained.
the use of this is to cut down on the cycles used, this can be repeated several times to accumulate volume of information obtained. Unless that
is not problem on the network it is used.
USING THE CS-SERVER COMMAND:
The below commands can be use from the perspective of client side and the server side with different options available, further below, I took the liberty
to include the explanations of all the possible combinations of these commands (obtained from F5 site). Also, the output of the command is broken into 5
parts, below is also an explanation of what the output translates to.
tmsh show sys connection cs-server-addr
tmsh show sys connection ss-server-addr
(1) (2) (3) (4) (5)
X.X.X.X:64231 X.X.X.X:443 X.X.X.X:64231 X.X.X.X:443 tcp 21 (tmm: 7) none
Y.Y.Y.Y:49632 Y.Y.Y.Y:443 Y.Y.Y.Y:49632 Y.Y.Y.Y:443 tcp 16 (tmm: 0) none
The Client IP Address and Port (1)
The Virtual Server IP Address and Port (2)
The SelfIP (SNAT) Address and Port (3)
The IP Address and Port of the Member Server the request went to (4)
The tmm process processing the connection (5)
cs-client-addr Specifies the clientside remote address of the active connections
cs-client-port Specifies the clientside remote port of the active connections
cs-server-addr Specifies the clientside local address of the active connections
cs-server-port Specifies the clientside local port of the active connections
protocol Specifies the protocol used for specified connections (for example: tcp, udp)
ss-client-addr Specifies the serverside local address of the active connections
ss-client-port Specifies the serverside local port of the active connections
ss-server-addr Specifies the serverside remote address of the active connections
ss-server-port Specifies the serverside remote port of the active connections
The title says almost everything. I want to use apache under windows and then redirect one or more domains to my computer using a service like No-IP. Is it possible?
Yes you just need to set port forwarding to your local machine (PORT 80 for HTTP, 443 for SSL, 21 for FTP ( if you want to run a ftp server aswell)) on your router, and set a dynamic dns there that points to NO-IP. Most likely you can add one DynDNS entry.
Yes.
You don't even need a Dynamic DNS service (like no-ip) if you have a static IP address. In that case, just register a domain name and create two DNS records -
NAME TYPE VALUE
example.com. A public.ip.address.here
www.example.com. CNAME example.com.
Most ISPs now assign static IPs (even if they claim otherwise), and if not, you can get one for a small fee ($5/month extra). Or upgrade your account to business class.
This way you don't have to introduce another layer (Dynamic DNS) into your set up.
Then install a WAMP such as - xampp (really popular here) - UniformServer -
Wamp-Developer Pro (the one I use) -
WampServer (another good one)
You'll also need to port-forward your router (ports 80 and 443) to the LAN IP, and create two rules in the Windows Firewall to unblock incoming port 80 and 443 requests.
The only thing that can go wrong is if your ISP blocks incoming port 80 (http) and 443 (https) requests. You can call and get them to unblock that, or again, update the account to business class to remove all the headaches.