NimbostratusHi dear experts,
I looking for a way to preserver clients IP for TCP request (no http profile used) using SNAT. I read in some blogs that it possible to do it with iRule, but people talking about logs getting bigger, ltm crash. What is the best way to achieve it and how can i do it/use it?
CirrocumulusDo you want to preserve it in the actual tcp connection (i.e. not SNAT'ed) or just encode it somewhere in the packet (e.g. option stuffing)?
SNAT won't preserve the address... It HIDES it... The S==Source - i.e. Source NAT'ing...
If you want the tcp connection to preserve it. Just don't use SNAT and make sure the route back to the client form the server passes back THROUGH the big again. For option stuffing there's an example in the Wiki...
H
NimbostratusI have to use SNAT as all my servers configured with gateway other then the LB. I do it with http traffic by using x-forwarder-for, but in this situation i need it for non http traffic (routed to linux server). Any way i can achieve it? And just to be correct SNAT stands for secure NAT.
CirrocumulusThere's nothing secure about SNAT. It's SOURCE NAT. Anyone tells you it's secure, feel free to laugh at them.
You could use policy routing, either on the linux server, or at the network layer to route non-http traffic back to the big (e.g. by matching on the SOURCE PORT of the RETURN traffic to the client. This is similar to the way you'd do it with a WAN accelerator to accelerate specific traffic only if you do that.
H
NimbostratusI assume we will have to laugh at F5..... https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html
"A Secure Network Address Translation (SNAT) is an object that maps the source client IP address in a request to a translation address defined on the BIG-IP device. "I will give it a try, however im not really familiar with F5 policy. Thank you