Forum Discussion

David_A_19418's avatar
David_A_19418
Icon for Nimbostratus rankNimbostratus
Feb 06, 2012

Preserve Client IP works on 10.1.0 but not on 10.2.0

We don't want to use X-forwarded-for for numerous reasons...

 

 

 

Here's the background:

 

TEST environment has LTM VE 10.1.0 (The only one that runs on Virtualbox)

 

- WWW nodes in a private VLAN, default GW is the self IP on the LTM

 

- Virtual Server is set with SNAT set to None, standard HTTP profile,

 

HTTP request to this virtual server get logged on the WWW nodes with the Client's actual IP address (WANTED/CORRECT BEHAVIOR)

 

 

 

 

 

PROD environment: Physical LTM's running 10.2.0 in an active/passive configuration. If it matters the current Active node is unit 2, not unit 1.

 

- WWW nodes in a private VLAN, default GW is the floating IP for this vlan on the F5 cluster

 

- Virtual Server is set with SNAT set to None, standard HTTP profile (same as TEST environment)

 

 

 

HTTP request to this virtual gets logged on the WWW nodes with the F5's floating IP (unwanted behavior)

 

Tried the following:

 

Toggled SNAT pool from None to Automap (no change in behavior)

 

Created a OneConnect Profile with the source mask set to 255.255.255.255 and applied that to the virtual (no change in behavior)

 

 

 

Right now I'm at a loss as to why the heck the client IP isn't passed to the pool members? I have specifically designed this environment so that the WWW nodes's default GW is the floating IP, as I didn't want to have to deal with the X-forwarded-for stuff, as that requires going over 200GB of web tree, to change .htaccess rules, as well as php code that filter based on the connecting IP (which in this case will always show up as the same F5 floating IP address)

 

 

 

I know I've done this before on older LTM editions and had it work as expected/documented on 4.x, 9.x, 10.1.x, so is there an open issue with 10.2.x regarding this sort of misbehavior?

 

 

 

-- David

 

3 Replies

  • is there any snat object in 10.2.0?

     

    b snat list

     

     

    if you do not want to do snat when sending traffic to specific pool, can you try to set allow snat to no under pool setting?
  • Setting "Allow SNAT" to "no" on the pools SOLVES my issue, thanks!. It's odd though that the settings are idential pool/VServer wise (betwwen 10.1.0 and 10.2.0) however i have to set Allow SNAT to no on the pools on 10.2.0 to get the same behavior.

     

  • don't you have snat object in 10.2.0? i understand it is a reason address was translated.