Hi, I have problem with F5 BigIp, i have created vip ip address (192.168.1.3) for two nodes (192.168.1.1 and 192.168.1.2) any client ( example 10.1.1.1) access the virtual ip (192.168.1.3) will be shown at the servers as ip address of BigIp not the client address( 10.1.1.1), how can i let the BigIP show the ip address of host instead of ip address of self ip. i have attached one photo for clarification thanks BigIP expert :):):)

first of all, i'm not an expert but just wann help if i can. :-) what is nodes' default gateway? is it bigip? if so, would u mind trying to remove snat under virtual config? the other way is to use x-forwarded-for http header. sol4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html cheer!

hi and thx for reply, nodes are the physical machine (server) there are two nodes (phyiscal machine) in diagram 192.168.1.2 and 192.168.1.1, it is not gateway or bigip i have configured the virtual server (192.168.1.3) SNAT Pool to "automap", should i return to "none", i am new to bigip can you please tell me more about snat what it do ? is it oridnary NAT ? Big thanksssssssssssssssssss even if u r not expert :):)

SNAT is literally Source-NAT. Basically its telling the VS to act as a proxy... So the backend (Poolmembers) see the IP connection coming from one of the BigIP's addresses (Automap will use the floating self-ip of the interface that routes to the poolmembers). To have the client IP preserved, disable SNAT, enable NAT (The F5 then NAT's the proxied connection back to the address and port of the client). The poolmembers then need to use the F5 (SelfIP) as the default gateway back to the client. H

when i put the snat none, the virtual server is not working how to enable nat ?

About 5 items below the SNAT option when configuring the Virtual Server. There's separate options for 'Address Translation' and 'Port Translation'. Select both. Then make sure the default gateway back to the client IP is via the F5 floating self-ip address that directly connects to the poolmembers. (I suspect that's already done, unless you were running the poolmembers in a kind of n-path configuration) I think it's more likely that the only thing wrong is your poolmembers are routing back direct to the client via a separate router, since it looks like you're running the F5 single armed (Sorry, can't see your picture, so no network diagram to verify)... H

BigIP Remove the source address of host

26 Replies

nitass
Employee
Jun 19, 2011
would u mind posting your config here?

b self list

b route list

b virtual (virtual_server_name) list

b pool (pool_name) list
al_kabeer_2905
Nimbostratus
Jun 19, 2011
b self list

self 172.16.1.22 {

netmask 255.255.255.0

vlan VLAN_2

allow default

}

b route list

route 172.16.0.0/16 {

gateway 172.16.1.222

}

b virtual VS-Test list

virtual VS-Test {

translate service disable

snat automap

pool Pool- Test

destination 172.16.1.26:http

ip protocol tcp

profiles {

IntraSourceAdd {}

tcp {}

}

}

pool Pool- Test {

monitor all http

members {

172.16.1.20:http {}

172.16.1.30:http {}

}

}
nitass
Employee
Jun 19, 2011
what's client ip? isn't it in 172.16.0.0/24 subnet?

if yes, have u seen response packet from pool?

tcpdump -nni 0.0 port 80 and host client_ip and \(host 172.16.1.20 or host 172.16.1.30\)

*client_ip is client ip address
al_kabeer_2905
Nimbostratus
Jun 19, 2011
the virtual IP address : 172.16.1.26

two physical address 172.16.1.20 and 172.16.1.30

BigIp self ip 172.16.1.22

Cisco Core Switch 172.16.1.222

the two servers have the gateway of coreswitch 172.16.1.222

when i change it to Bigip address 172.16.1.22 both the servers stops
al_kabeer_2905
Nimbostratus
Jun 19, 2011
the client is on diiferenet subnet 172.16.2.0 /24
nitass
Employee
Jun 19, 2011
have u seen response packet from pool?

tcpdump -nni 0.0 port 80 and host client_ip and \(host 172.16.1.20 or host 172.16.1.30\)

*client_ip is client ip address

btw, do we need to disable icmp redirect on catalyst?
al_kabeer_2905
Nimbostratus
Jun 19, 2011
i did the command and i can c nothing as output

i change the sorce address to be the self ip 172.16.1.22 and i got the traffic
al_kabeer_2905
Nimbostratus
Jun 19, 2011
i did the command and i can c nothing as output

i change the sorce address to be the self ip 172.16.1.22 and i got the traffic
al_kabeer_2905
Nimbostratus
Jun 19, 2011
13:31:03.891043 IP 172.16.1.22.40083 > 172.16.1.20.80: . ack 1 win 46

13:31:03.891103 IP 172.16.1.22.40083 > 172.16.1.20.80: P 1:8(7) ack 1 win 46

13:31:03.894727 IP 172.16.1.20.80 > 172.16.1.22.40083: P 1:250(249) ack 8 win 260

13:31:03.895013 IP 172.16.1.22.40083 > 172.16.1.20.80: . ack 250 win 54

13:31:03.895072 IP 172.16.1.22.40083 > 172.16.1.20.80: F 8:8(0) ack 250 win 54

13:31:03.895076 IP 172.16.1.20.80 > 172.16.1.22.40083: F 250:250(0) ack 8 win 260

13:31:03.895957 IP 172.16.1.20.80 > 172.16.1.22.40083: . ack 9 win 260

13:31:03.896022 IP 172.16.1.22.40083 > 172.16.1.20.80: . ack 251 win 54
nitass
Employee
Jun 19, 2011
client is 192.168.206.96

vip is 172.28.17.66

selfip is 172.28.17.60

pool member is 172.28.17.80

pool member's default gateway is 172.28.17.60

[root@tulip:Active] config b self 172.28.17.60 list

self 172.28.17.60 {

netmask 255.255.255.0

vlan external

allow all

}

[root@tulip:Active] config b virtual bar list

virtual bar {

pool foo

destination 172.28.17.66:ssh

ip protocol tcp

}

[root@tulip:Active] config b pool foo list

pool foo {

members 172.28.17.80:ssh {}

}

[root@tulip:Active] config tcpdump -nni 0.0 \(host 192.168.206.96 and host 172.28.17.66 and port 22\) or \(host 192.168.206.96 and host 172.28.17.80 and port 22\)

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes

(1) 03:33:22.083798 IP 192.168.206.96.63959 > 172.28.17.66.22: S 376152562:376152562(0) win 8192

(2) 03:33:22.083847 IP 172.28.17.66.22 > 192.168.206.96.63959: S 3250302098:3250302098(0) ack 376152563 win 4380

(3) 03:33:22.084122 IP 192.168.206.96.63959 > 172.28.17.66.22: . ack 1 win 256

(4) 03:33:22.084168 IP 192.168.206.96.63959 > 172.28.17.80.22: S 4066958068:4066958068(0) win 4380

(5) 03:33:22.085213 IP 172.28.17.80.22 > 192.168.206.96.63959: S 1806241468:1806241468(0) ack 4066958069 win 5840

(6) 03:33:22.085225 IP 192.168.206.96.63959 > 172.28.17.80.22: . ack 1 win 4380

packet no1-3 is syn, syn+ack and ack between client and vip

packet no4-6 is syn, syn+ack and ack between bigip and pool member (since snat is none, source ip isn't changed to bigip selfip). i don't show mac address. if u do, u will see even source ip is client ip but mac address is bigip mac address indeed.

hth

Forum Discussion

BigIP Remove the source address of host

26 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

Clone/export/import API Protection Profile

UCS file migration on differing OS versions

simultaneous disabling / enabling of all LTM objects

F5 VE WAF FINE TUNING

Changes to DO and AS3 GitHub - no longer monitored

Related Content

The Power of Source Address

health monitor source IP address

Restsh is now available under an Open Source license!

source address persistence maximum session timeout

Remove alerts showing r-series LCD/Dashboard.

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS