Forum Discussion
NimbostratusChange Source Address Translated IP to Original Client IP to backend server
Client IP : 10.3.30.x accessing LB VIP:192.168.12.228 , Which is configured with Source Address Translation (Auto : IP -10.0.122.65/28) the request is forwarded to back-end server 10.0.138.60:5555 (Gateway is not LB). Now if i take a capture in back-end server 10.0.138.60 definitely ill be able to see 10.0.122.65/28 as my source Contacting back-end server on port 5555 when client shoot some traffic. Requirement is that i need to see my original Client IP 10.3.30.x as my source IP @ my back-end server 10.0.138.60.
I have removed Source Address Translation from LB configuration and found that the end client is unable to access the VIP Due to the routing issue (as my Back-end server gateway is not LB).
Please suggest any way to met my requirement.
Ryan_80361Cirrostratus
What protocol are you using on this virtual server? If it's HTTP, you can use the x-forwarded-for header.
- NETWORK_331823
we need to get the original client IP as source in the end server, due to some limitations we cannot use xff in back-end. Only option is to filter for source IP from the Header.
RyannnnnnnnnAltocumulus
What protocol are you using on this virtual server? If it's HTTP, you can use the x-forwarded-for header.
- NETWORK_331823
we need to get the original client IP as source in the end server, due to some limitations we cannot use xff in back-end. Only option is to filter for source IP from the Header.
Stanislas_Piro2Cumulonimbus
there are 2 solutions :
- if the protocol supports header insertion like http / https, you can insert an header with IP address!
- else, change your network design to make bigip as default route to support client real ip on server side
- Kai_Wilke
MVP
Hi GSTN Infra Network Team,
Stanislas already provided you two solutions. I'd like to elaborate a little bit more on the second solution stanislas has provided.
For network environments with "more intelligent network equipment" its not mandatory to change the "DEFAULT-GW" configuration to pass every traffic towards your F5.
Depending on your equipment, you may utilize some PBR (Policy Based Routing) functionalities, to become able to route just the traffic comming from SRC=10.0.138.60 (Backend application) to DST=0.0.0.0/0 (you may also want to add DST exemptions) towards GW=10.0.122.65 (F5).
If PBR is not a applicable, you could also add an additional network interface and IP address on your F5 within the back-end server VLAN. In this case you would be able to configure the local routing table of the back-end server to pass traffic destined to 0.0.0.0/0 (you may also want to add some additional route for internal traffic) to the now locally connected F5.
Cheers, Kai
Chandru_01You need to enable X-Forwarded-For in the HTTP profile settings. Make changes only in a newly created custom HTTP profile and not in the parent profile. Once the mentioned setting is enabled, you need to enable the X-Forwarder settings in the respective servers to capture the actual client IP.
