Forum Discussion

jdorrough_42655's avatar
jdorrough_42655
Icon for Nimbostratus rankNimbostratus
Apr 25, 2012

Can I spoof a source address with an iRule?

Let's say I have 4 IP addresses

 

 

 

IP-A 192.168.1.1 Client ip address

 

 

IP-B 192.168.2.1 Virtual server address

 

 

IP-C 192.168.3.1 Pool member associated to Virtual address

 

 

IP-D 192.168.4.1 IP I'm wanting to spoof.

 

 

 

I want the connection to work as follows....

 

 

1) Client makes a connection to IP-B

 

 

2) Big-IP sends connection to Pool member IP-C. There is no Natting taking place so Pool member IP-C sees the source address IP-A.

 

 

3) IP-C responds to IP-A, the packet arrives back to the Big-IP.

 

 

4) I want the packet to leave Big-IP with a source address of IP-D Destination IP-A.

 

 

 

I know this may look like a weird request. It is an attempt to do some asymmetrical routing between two datacenters.

 

 

Thanks in advance for your assistance.
application delivery
dev
devops
iRules
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Apr 25, 2012
    Interesting scenario. Basically, we'd want to apply SNAT in a response event which doesn't seem to be supported. I'm going to try mocking this up using the "virtual" command and see what I can find out.
  • jdorrough_42655's avatar
    jdorrough_42655
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2012
    Chris, thanks for the response. The traffic in question is tacacs. That’s why I am needing the true source of the client.

     

     

    I have two data centers with LTM's. In each datacenter I will have a pool of three nodes associated to the virtual server. Two of the three are physical tacacs servers the other node is a virtual server on the LTM of the other datacenter. I'll have priority set to the local tacacs server but if health monitors fail, the only healthy monitor will be the node pointing to the virtual server in the other datacenter. This all works great. The problem is the return traffic from the other datacenter.

     

     

     

    In my example above let’s say a router trying to authenticate a user is IP-A. It has a tacacs server set to IP-D. IP-D is the virtual server address in datacenter1. When the LTM receives the connections it sees that the two local pool nodes are down and the only one up is IP-B. IP-B is a virtual server in datacenter2. When the LTM in datacenter 2 receives the traffic it sends it to one of its local node tacacs servers which has IP-C. So here is where it gets tricky, if IP-C responds it will end up back at the router trying to authenticate with a source of IP-B. And as I'm sure you already see the problem, the three way hand shake will never work when a router sends a request to one ip and get a response from another. That is why I'm trying to spoof the ip as it returns to the router.

     

     

    Clear as mud??

     

     

    Maybe I'm over complicating the issue. Any other suggestions are welcome.

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Apr 28, 2012
    Your packet flow sounds like this: Router -> VIP (IP-D) -> Pool Member/VIP (IP-B) -> Pool Member (IP-C). If that's the case, why wouldn't the response be NATed properly? Traffic is still flowing through VIP (IP-D) so LTM should NAT the response to that address.
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Apr 29, 2012
    A colleague of mine says he has done this via EtherIP

     

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_11_0_0/4.htmlconceptid

     

     

    Unfortunately he works for DoD so he can't show me his configuration - but assures me that the link above and a call to F5 support will get you started.

     

     

    Bhattman