Forum Discussion
Coso_17543
Nimbostratus
NimbostratusBigIp source addresses
hi all,
I don't know if this is an easy question but it's a bit urgent for me.
We need to balance 2 servers under a VIP for some services, telnet and FTP included.
The pool was correctly created as standard (we manage a lot of pools) but the users have a problem. After that just only one user tried too many times to login with a wrong user/pass, the nodes block the access from him. After that, nobody can't login because the source address for those 2 servers are not the real of users but the BIGIP..
I remeber something that this issue doesn't happen on some pool because being http users ip address is incapsulated in the packet and checking it, servers can know who is the real source. But how can avoid this in a normal telnet or FTP session?
There is a setting or an iRule to make a transparent balacing in BigIp so that servers can receive users as sources and not BigIP nat?
Thanks you
- Chris_Miller
Altostratus
Is there a reason you're using SNAT? Does your design require all users be SNATed? 
Coso_17543Well if I correctly understood SNAT should be used for security and for routing issues.
In our LAN all users , bigip and servers are all routed but we didn't used bigip too much until now, considering also that VIP creation enable "address Translation" by default.
I never pretty understood what "address translation" does on a VIP configuration.
What happen if for that VIP I uncheck "address translation" ? All requests are directly forwarded to nodes with no transformations and nodes will reply deirectly to the users machines?- Chris_MillerAddress translation enables LTM to translate the destination address of the packet. So, if you're using a normal VIP, you need address translation so LTM can translate the destination address to the pool member's IP.
SNAT can be more secure and can make routing easier but as you're seeing, applications that can't derive source ip address from header information might not work as hoped. - Coso_17543So I should disable SNAT to let the real nodes to see the real source addresses of the users instead of BIgIP?
And how can I do it for a single VIP - Chris_MillerYou can do it per VIP - if you're using the config utility, you'll find a "SNAT Pool" option set to either AutoMap or a SNAT Pool. You want to set that to none.
This of course assumes that your nodes will route traffic to the clients through LTM - if that's not the case, you'll still need SNAT. - Coso_17543mmm
so the nodes should have BigIP as default gateway ?
Servers are currently in another vlan with its own default gateway.
Anyway, I checked that option and it's already in "none". The only enabled thing is the "address translation" on the VIP - Chris_MillerIf it's at none, the original source address should be getting to the client - it's the destination address that's getting translated.
hooleylistCirrostratus
There could also be a default SNAT defined which dictates LTM should translate the serverside source address.
Aaron
Michael_YatesDepending on the destination application, you may also be able to use the X-Forward option in the HTTP Profile. If you are using basic Telnet and FTP, then you might not be able to use this option, but it is worth knowing about.
Look in your HTTP Profile. Under the Help Menu:
"Specifies, when enabled, that the system inserts an XForwarded For header in an HTTP request with the client IP address, to use with connection pooling. The default is Disabled."
There are also plenty of posts that that talk about it.- Coso_17543Ok, so please confirm me if I understood.
IF the servers are on the same subnet of bigbip AND configuring BigIp as their default gateways I can disable SNAT and when a user contact a VIP the packet is forwarded to the servers with the real user address as source. The servers, replying to the user address via their default gateway, will use then the BigIp that forward back the packet as it does on a normal pool request.
IF the servers are on a different subnet of BigIP this is not possible because they bypass it replying directly to the users.
is that right?
So, when the BigIP notice that the servers are on a different subnet it automatically SNAT the traffic to them?
