For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

meena_60183's avatar
meena_60183
Icon for Nimbostratus rankNimbostratus
Jun 13, 2011

Client IP visibility in one arm mode

Hi All,

 

 

I have a pair of LTMs in the DMZ in one arm configuration. The frontend (virtual server) and the backend (servers) are on the same subnet. It acts as a reverse proxy for a lot of internal hosts but it also acts as a load balancer to servers in the DMZ. SNAT automap is configured and so all the client IPs look like it is coming from the BigIP. Now, I have a requirement where apps running on the DMZ servers require the client IP visibility.

 

 

 

What are the options available?

 

 

 

Meena

 

config
design

6 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 13, 2011
    is it http/s?

     

    if so, have u seen x-forwarded-for solution in askf5?

     

     

    sol4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT

     

    http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
  • meena_60183's avatar
    meena_60183
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2011
    I should have mentioned this. The traffic that is being load balanced in not http(s) but SSH and TCP port 9033. it is application specific.
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jun 13, 2011
    Meena

     

    "The traffic that is being load balanced in not http(s) but SSH and TCP port 9033. it is application specific" - I think this rules out x-forward-for I'm afraid. In a one-arm config you could choose to NOT use SNAT Automap on this VIP, however, you will then need to route the traffic back to the src client ip back through the LTM, rather than the def gateway (which I presume isn't the LTM).

     

     

    Rgds

     

    N
  • meena_60183's avatar
    meena_60183
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2011
    The current default gateway for the servers is the firewall. The default gateway for the LTM is also the firewall. I tried changing the server's default gateway to be the LTM but traffic stops working. I enabled all services using 0 for port number but still it seems like the LTM is not responding for arp requests from the firewall. I even deleted the arp entry for the servers in question but that did not help either.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 15, 2011
    client isn't in same subnet as vip, is it?

     

     

    for arp, could u confirm if arp is checked under virtual address list?

     

    if yes, bigip should response arp request for that virtual address.