Load balanced Telnet Servers - Pass through original IP or hostname?

Question

I know what you're thinking. Did he fire 6 shots or only 5?

*Ahem*

What I meant to say is - I know what you're thinking. What the heck is this guy doing load balancing telnet servers? Well as often happens in the world we work in, application folks made an initial request to have two telnet servers load balanced for our WMS. We explained carefully what the strengths and weaknesses are of this topology, including the fact that client IP addresses would be hidden because of SNAT functionality.

Now the application folks need to know the original IP address of a client request passing through the VIP. in this case, the telnet server is built by Pragma Systems...

Does anyone know of a way to create an iRule that will pass the original IP address of the telnet client? I've been browsing the forums and I see HTTP based rules that do that, but nothing that seems to match other protocols.

Thanks for listening!

antony_413 · Answer

Can you clarify if your backend servers are on an "internal" vlan; one that must pass through the Layer7 always? 
&nbsp; (Because you are using SNAT it would seem possibly that you aren't but I wanted to check). 
&nbsp;  
&nbsp; The trouble here is Layer7 sending a frame with an IP of the client on the header will cause the TCP stack on the server to try and respond to that ClientIP directly, bupassing the Layer7; The SNAT is a method to force the traffic to go back to the Layer7 -which re-writes the frame and TCP SYN number - beore sending the frame back to your client. 
&nbsp;  
&nbsp; One way to make your servers accept the ClientIP and respond without trouble is the "spoke" network setup: You setup a subnet that your servers have an IP in and the Layer7 has an IP in. Servers are configured to use the Layer7s IP in that subnet as the default gateway so all traffic flows from the Layer7 to the server and back again regardless of the source IP; you get to keep your load balancing AND pass the client IP without breaking TCP. 
&nbsp;  
&nbsp; hope this helps.

wil_schultz_101 · Answer

You have to turn off SNAT and route traffic from the Telnet servers back through the F5's, then the request will be from the remote host and you'll see the originating IP. For routing purposes you need to make sure traffic goes back through the F5's. 
&nbsp;  
&nbsp; If you set your default gateways on the Telnet servers to the F5's you may also want to create a routing VIP so it can get to the rest of your network.

antony_413 · Answer

There is also the multi-home host setup, but Advanced routing seems only to work well on RedHat *nix variants. (traffic from the Layer7 is forced back out the the ether that it came in on). The Hub spoke architecture works for all OSs though.

bayan_el_ameen1 · Answer

I don't know if this will help you. But try adding it as a new header and check if this will help your application folks :)

hamish · Answer

Hmm.. Sorry, thought id replied to this one already, but apparently not. 
&nbsp;  
&nbsp; Theres no headers in telnet beyond some simple options for sending brk, etc. but with an irule you could snoop the login process and possibly set an environment variable from the irule, immediately after the login completes with the first shell prompt... Kind of like ssh client does to setup an X11 tunnel and DISPLAY environment variable. 
&nbsp;  
&nbsp; H

Forum Discussion

Load balanced Telnet Servers - Pass through original IP or hostname?

5 Replies

Recent Discussions

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

no available managed rule groups for Israel il-central-1

Related Content

F5 Distributed Cloud Origin Server Subset Rules

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

NGINXaaS for Azure: Load Balancing

Hostname based Load balancing (prior to 11.6.0)

What is Load Balancing?