Forum Discussion

BaltoStar_12467's avatar
BaltoStar_12467
Jan 02, 2015

BIP-IP : identify true client-ip

F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi

I suppose this is more of a nw question than a BIG-IP question.

I am testing http requests against our prod website from a client located within our corporate nw.

On my prod f5 virtual-server I have a diagnostic irule which writes this log : 

log local0. "Client [IP::client_addr]:[TCP::client_port]"

However, BIG-IP logs a client-ip different than my client's static-ip.

I believe traffic is being NAT'd before routing externally and arriving at our prod DC.

How can I setup a test client so that BIG-IP logs the true ip ? ( my client's static-ip )

application delivery
client
client ip
design
devops
iRules
LTM

4 Replies

Sort By
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Jan 02, 2015

    Your iRule logs the source IP address derived from the header of the incoming IP datagram.

    If the original client IP address is modified (i.e. due to hiding NAT of your clientside firewall or by your internet router) you will log the NAT address, as you already noticed.

    If your client´s request is forwared by a proxy you can check for the so called X-Forwarded-For http-header. Perhaps the proxy is inserting this header with the value of the original client IP address.

    So if your virtual server has an http-profile assigned you may add the following section to your iRule: 
    when HTTP_REQUEST {
    if {[HTTP::header exists X-Forwarded-For]}{
        log local0. "client ip from xff-header: <[HTTP::header value X-Forwarded-For]>"
    } 
}

    Please run "tail -f /var/log/ltm" to monitor your log file.

  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus
    Jan 02, 2015

    Just a F.Y.I., if the client is being proxied, the the "true" client IP address could, most likely is, a private non-routable IP address. So your log may show an address like 192.168.1.1.

     

  • hari_126827's avatar
    hari_126827
    Icon for Cirrus rankCirrus
    Jan 02, 2015

    Hi,

    Probably if we want to log client ip address for non-http connection, then we could use below irule:

    when CLIENT_ACCEPTED {
    log local0. "Client [IP::client_addr]:[TCP::client_port]"
}

    but if it is HTTP connection then good idea to use above irule....