Forum Discussion

Adel_Farhan_194's avatar
Adel_Farhan_194
Icon for Nimbostratus rankNimbostratus
Aug 24, 2016

Bypass the origin Client Source IP to Back end Server instated of floating IP

How can i bypass the origin Client Source IP to Back end Server instated of floating IP with Auto Map as Source Address Translation on VS configuration

 

application delivery
devops
LTM

6 Replies

Sort By
  • ka_49032's avatar
    ka_49032
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2016

    Since Auto Map means you will automatically SNAT traffic to your floating self ip, the obvious answer is to disable the Auto Map and change it to None. Now requests to the node are made with the original client ip address that connects to the BIGIP.

     

    However if this a HTTP application it is common that they look at HTTP headers to get the clients IP address. The easiest way would then be to using a BIGIP HTTP profile enable sending the HTTP header "X-Forwarded-For", which will contain the clients IP address. The HTTP server can then look at this header and determine the client ip address.

     

    You can also add custom HTTP headers using an iRule. If it is not an HTTP application, you can use the first suggestion, or iRules to make a more granular policy so that not all connections are using SNAT etc.

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Aug 24, 2016

    enable X-forwarder in the http profile will see the real source address in the packet header.

     

    -Jinshu

     

  • dfosborne2_2224's avatar
    dfosborne2_2224
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2016

    created this means by which to "Kill SNAT AutoMap":

     

    https://devcentral.f5.com/codeshare/kill-snat-automap

     

    I have some changes I need to make to the doc and code (I want to offer up all 3 methods Ive used/tested with the most recent method proving to be the solution that we are running with).

     

    A few restrictions are that you must have selfIP/floatingIP presence in your pool members' subnet and your pool members must be linux.

     

  • Adel_Farhan_194's avatar
    Adel_Farhan_194
    Icon for Nimbostratus rankNimbostratus
    Aug 25, 2016

    Hi,

     

    Regarding Auto Map,you can find the real source address by enabling X-Forwarded-For as you mentioned. and well get it in X-Forwarded-For field of HTTP headers.

     

    Thank you for that information and your support

     

    Best Regards,

     

  • Bart_18836's avatar
    Bart_18836
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2016

    Obviously that works only for HTTP applications , if you are running non-HTTP applications which require to see original client IP you will have to change desing of your network and make F5 default gateway for your servers. This requires additional configuration on the BigIP such as Forwarding VIP etc.

     

  • SAP's avatar
    SAP
    Icon for Nimbostratus rankNimbostratus
    Jun 28, 2018

    Bart

     

    Can you please let me know what kind of changes we can do to achieve the same if the VIP has FastL4 profile and its a non http vip. Vip is used for Sftp connections