Forum Discussion
jdorrough_42655
Nimbostratus
NimbostratusCan I spoof a source address with an iRule?
Let's say I have 4 IP addresses
IP-A 192.168.1.1 Client ip address
IP-B 192.168.2.1 Virtual server address
IP-C 192.168.3.1 Pool member associated to Virtual address
IP-D 192.168.4.1 IP I'm wanting to spoof.
I want the connection to work as follows....
1) Client makes a connection to IP-B
2) Big-IP sends connection to Pool member IP-C. There is no Natting taking place so Pool member IP-C sees the source address IP-A.
3) IP-C responds to IP-A, the packet arrives back to the Big-IP.
4) I want the packet to leave Big-IP with a source address of IP-D Destination IP-A.
I know this may look like a weird request. It is an attempt to do some asymmetrical routing between two datacenters.
Thanks in advance for your assistance.
5 Replies
- Chris_Miller
Altostratus
Interesting scenario. Basically, we'd want to apply SNAT in a response event which doesn't seem to be supported. I'm going to try mocking this up using the "virtual" command and see what I can find out. - Chris_MillerWhat type of traffic is this by the way?
jdorrough_42655Chris, thanks for the response. The traffic in question is tacacs. That’s why I am needing the true source of the client.
I have two data centers with LTM's. In each datacenter I will have a pool of three nodes associated to the virtual server. Two of the three are physical tacacs servers the other node is a virtual server on the LTM of the other datacenter. I'll have priority set to the local tacacs server but if health monitors fail, the only healthy monitor will be the node pointing to the virtual server in the other datacenter. This all works great. The problem is the return traffic from the other datacenter.
In my example above let’s say a router trying to authenticate a user is IP-A. It has a tacacs server set to IP-D. IP-D is the virtual server address in datacenter1. When the LTM receives the connections it sees that the two local pool nodes are down and the only one up is IP-B. IP-B is a virtual server in datacenter2. When the LTM in datacenter 2 receives the traffic it sends it to one of its local node tacacs servers which has IP-C. So here is where it gets tricky, if IP-C responds it will end up back at the router trying to authenticate with a source of IP-B. And as I'm sure you already see the problem, the three way hand shake will never work when a router sends a request to one ip and get a response from another. That is why I'm trying to spoof the ip as it returns to the router.
Clear as mud??
Maybe I'm over complicating the issue. Any other suggestions are welcome.- Chris_MillerYour packet flow sounds like this: Router -> VIP (IP-D) -> Pool Member/VIP (IP-B) -> Pool Member (IP-C). If that's the case, why wouldn't the response be NATed properly? Traffic is still flowing through VIP (IP-D) so LTM should NAT the response to that address.
- The_BhattmanA colleague of mine says he has done this via EtherIP
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_11_0_0/4.htmlconceptid
Unfortunately he works for DoD so he can't show me his configuration - but assures me that the link above and a call to F5 support will get you started.
Bhattman
