For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Coso_17543's avatar
Coso_17543
Icon for Nimbostratus rankNimbostratus
Mar 14, 2011

BigIp source addresses

hi all,

 

 

I don't know if this is an easy question but it's a bit urgent for me.

 

 

We need to balance 2 servers under a VIP for some services, telnet and FTP included.

 

 

The pool was correctly created as standard (we manage a lot of pools) but the users have a problem. After that just only one user tried too many times to login with a wrong user/pass, the nodes block the access from him. After that, nobody can't login because the source address for those 2 servers are not the real of users but the BIGIP..

 

 

 

I remeber something that this issue doesn't happen on some pool because being http users ip address is incapsulated in the packet and checking it, servers can know who is the real source. But how can avoid this in a normal telnet or FTP session?

 

 

There is a setting or an iRule to make a transparent balacing in BigIp so that servers can receive users as sources and not BigIP nat?

 

 

Thanks you
application delivery
dev
devops
iRules

12 Replies

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Mar 14, 2011
    Is there a reason you're using SNAT? Does your design require all users be SNATed?
  • Coso_17543's avatar
    Coso_17543
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2011
    Well if I correctly understood SNAT should be used for security and for routing issues.

     

     

    In our LAN all users , bigip and servers are all routed but we didn't used bigip too much until now, considering also that VIP creation enable "address Translation" by default.

     

     

    I never pretty understood what "address translation" does on a VIP configuration.

     

    What happen if for that VIP I uncheck "address translation" ? All requests are directly forwarded to nodes with no transformations and nodes will reply deirectly to the users machines?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Mar 14, 2011
    Address translation enables LTM to translate the destination address of the packet. So, if you're using a normal VIP, you need address translation so LTM can translate the destination address to the pool member's IP.

     

     

    SNAT can be more secure and can make routing easier but as you're seeing, applications that can't derive source ip address from header information might not work as hoped.
  • Coso_17543's avatar
    Coso_17543
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2011
    So I should disable SNAT to let the real nodes to see the real source addresses of the users instead of BIgIP?

     

    And how can I do it for a single VIP
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Mar 14, 2011
    You can do it per VIP - if you're using the config utility, you'll find a "SNAT Pool" option set to either AutoMap or a SNAT Pool. You want to set that to none.

     

     

    This of course assumes that your nodes will route traffic to the clients through LTM - if that's not the case, you'll still need SNAT.
  • Coso_17543's avatar
    Coso_17543
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2011
    mmm

     

     

    so the nodes should have BigIP as default gateway ?

     

     

    Servers are currently in another vlan with its own default gateway.

     

    Anyway, I checked that option and it's already in "none". The only enabled thing is the "address translation" on the VIP
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Mar 14, 2011
    If it's at none, the original source address should be getting to the client - it's the destination address that's getting translated.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 14, 2011
    There could also be a default SNAT defined which dictates LTM should translate the serverside source address.

     

     

    Aaron
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2011
    Depending on the destination application, you may also be able to use the X-Forward option in the HTTP Profile. If you are using basic Telnet and FTP, then you might not be able to use this option, but it is worth knowing about.

     

     

    Look in your HTTP Profile. Under the Help Menu:

     

    "Specifies, when enabled, that the system inserts an XForwarded For header in an HTTP request with the client IP address, to use with connection pooling. The default is Disabled."

     

     

    There are also plenty of posts that that talk about it.
  • Coso_17543's avatar
    Coso_17543
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2011
    Ok, so please confirm me if I understood.

     

     

    IF the servers are on the same subnet of bigbip AND configuring BigIp as their default gateways I can disable SNAT and when a user contact a VIP the packet is forwarded to the servers with the real user address as source. The servers, replying to the user address via their default gateway, will use then the BigIp that forward back the packet as it does on a normal pool request.

     

     

    IF the servers are on a different subnet of BigIP this is not possible because they bypass it replying directly to the users.

     

     

    is that right?

     

    So, when the BigIP notice that the servers are on a different subnet it automatically SNAT the traffic to them?