Forum Discussion
NimbostratusHow to - not use NAT for a single host behind an F5 when not using a VIP.
I have an F5 which is using a SNAT list to automap all addresses on my inbound VLAN. (call this the outside)
I believe this is used for outbound connections from internal hosts to present a routable address.
However for inbound connections direct to my hosts (ie not via virtual server) I'm not sure if this applies or not.
When establishing an inbound connection direct to an internal host the host sees that connection request come from the F5 self IP. (ie some kind of source NAT)
I know this feature on/off for Virtual Servers but in this instance I want to talk to an individual server directly and not via the Virtual Server IP. How do I turn of the SNAT for one host only?
I'll try to explain the simiplified setup as below incase the above doesn't make sence.
Client (10.0.0.1) - Targets Destination 192.168.0.3 which sits behind an F5. (This is the real IP not a virtual server)
Server B (192.168.0.3) - Sees source as 192.198.0.1 not the real client IP 10.0.0.1
I want my server to see the real client IP, I have a feeling what I need to do is build an IP forwarding rule for the host and ensure SNAT pool is set to none.
Can anyone confirm this?
Thanks and Regards
Chris
10 Replies
What_Lies_Bene1Cirrostratus
Where is the SNAT applied, to the Virtual Server or elsewhere? Please provide a little bit more detail.- nitass
Employee
However for inbound connections direct to my hosts (ie not via virtual server) I'm not sure if this applies or not.if snat list is applied on incoming vlan, yes it is. anyway, why don't you use snatpool setting under virtual server configuration instead of snat list? so, i will affect inbound traffic to virtual server only.
I want my server to see the real client IP, I have a feeling what I need to do is build an IP forwarding rule for the host and ensure SNAT pool is set to none.you mean ip forwarding virutla server, don't you? if so, yes but you have to also remove snat list configuration. snat list will apply even snat is set to none under ip forwarding virtual server.
hope this helps. 
chrisphysics_11Posted By nitass on 01/02/2013 04:29 PM
However for inbound connections direct to my hosts (ie not via virtual server) I'm not sure if this applies or not. if snat list is applied on incoming vlan, yes it is. anyway, why don't you use snatpool setting under virtual server configuration instead of snat list? so, i will affect inbound traffic to virtual server only.
I want my server to see the real client IP, I have a feeling what I need to do is build an IP forwarding rule for the host and ensure SNAT pool is set to none. you mean ip forwarding virutla server, don't you? if so, yes but you have to also remove snat list configuration. snat list will apply even snat is set to none under ip forwarding virtual server.
hope this helps.
So yes my snat list is applied on the incoming vlan meaning it is matching everything. Turning that off is a last resort at the moment, the F5's in question are heavily utilized in a production environment with scores of virtual servers and hosts behind them. Making global changes is not ideal for me.Yes I do mean an ip forwarding virtual server. At the moment I have at least one service working through a standard load balancing virtual server that is presenting the real source IP. I'm trying to work out how and why that is. I will spend some more time comparing configs.
- chrisphysics_11
Some more investigation has shown that dispite the SNAT list applied to everything if using a virtual server and you set "Allow SNAT" to "No" on the pool. Then SNAT does not take place.
Does anyone know if this will also apply to a ipforward virtual server?
- nitassDoes anyone know if this will also apply to a ipforward virtual server?ip forwarding virtual server does not have pool configuration.
can you try something like this?[root@ve10:Active] config b snat snat0 list snat snat0 { automap snatpool none origins default inet } [root@ve10:Active] config b virtual bar80 list virtual bar80 { pool foo destination 172.28.19.252:80 ip protocol 6 } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config b self 200.200.200.10 list self 200.200.200.10 { netmask 255.255.255.0 vlan internal allow default } inbound traffic to virtual server line (1) shows source ip is translated to selfip (200.200.200.10). [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 22:57:19.779678 IP 172.28.19.251.35829 > 172.28.19.252.80: S 378202834:378202834(0) win 5840 22:57:19.779717 IP 172.28.19.252.80 > 172.28.19.251.35829: S 3718782002:3718782002(0) ack 378202835 win 4380 22:57:19.780672 IP 172.28.19.251.35829 > 172.28.19.252.80: . ack 1 win 46 (1) 22:57:19.780720 IP 200.200.200.10.35829 > 200.200.200.101.80: S 2936807042:2936807042(0) win 4380 22:57:19.780728 IP 172.28.19.251.35829 > 172.28.19.252.80: P 1:157(156) ack 1 win 46 22:57:19.781779 IP 200.200.200.101.80 > 200.200.200.10.35829: S 1002618947:1002618947(0) ack 2936807043 win 5792 22:57:19.781818 IP 200.200.200.10.35829 > 200.200.200.101.80: . ack 1 win 4380 [root@ve10:Active] config b virtual bar list virtual bar { ip forward destination any:any mask 0.0.0.0 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { snat none } } inbound traffic to server (not via virtual server) line (2) shows source ip is not translated to selfip. [root@ve10:Active] config tcpdump -nni 0.0 port 23 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 22:59:20.504725 IP 172.28.19.251.47055 > 200.200.200.101.23: S 2714618692:2714618692(0) win 5840 (2) 22:59:20.504824 IP 172.28.19.251.47055 > 200.200.200.101.23: S 2714618692:2714618692(0) win 5840 22:59:20.505810 IP 200.200.200.101.23 > 172.28.19.251.47055: S 4166638761:4166638761(0) ack 2714618693 win 5792 22:59:20.505816 IP 200.200.200.101.23 > 172.28.19.251.47055: S 4166638761:4166638761(0) ack 2714618693 win 5792 22:59:20.506760 IP 172.28.19.251.47055 > 200.200.200.101.23: . ack 1 win 46 22:59:20.506767 IP 172.28.19.251.47055 > 200.200.200.101.23: . ack 1 win 46 - chrisphysics_11
Sorry that's a little hard for me to follow as I noramally use the GUI but I think you're suggesting, build a forwarding virtual server and then apply an irule (which I'll have already built as something like)?
rule myrule {
when CLIENT_ACCEPTED {
snat none
}}
- nitassSorry that's a little hard for me to follow as I noramally use the GUI but I think you're suggesting, build a forwarding virtual server and then apply an irule (which I'll have already built as something like)?yes. :-)
additionally, you can use network address (e.g. 200.200.200.0:any) instead of wildcard (any:any) in ip forwarding virtual server.
hope this helps. - chrisphysics_11For my forwarding virtual server host I'll just be using the one host that I want this rule to apply to. If I wanted it to apply to everything I'd remove the SNAT list and wouldn't have this problem.
Anyway yes you've been a big help. I'll report back once I've tried this. - chrisphysics_11For my forwarding virtual server host I'll just be using the one host that I want this rule to apply to. If I wanted it to apply to everything I'd remove the SNAT list and wouldn't have this problem.
Anyway yes you've been a big help. I'll report back once I've tried this. - nitassyou can also check source ip in the irule before disabling snat. 200.200.200.10 is bigip selfip.
[root@ve10:Active] config b virtual bar list virtual bar { ip forward destination any:any mask 0.0.0.0 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 172.28.19.251/32] } { snat none } } } [root@ve10:Active] config b snat snat0 list snat snat0 { automap snatpool none origins default inet } inbound traffic to server from client 172.28.19.251 (source ip is translated) [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 19:08:21.319605 IP 172.28.19.251.60531 > 200.200.200.101.80: S 3729429280:3729429280(0) win 5840 19:08:21.321640 IP 172.28.19.251.60531 > 200.200.200.101.80: S 3729429280:3729429280(0) win 5840 19:08:21.322634 IP 200.200.200.101.80 > 172.28.19.251.60531: S 1906927011:1906927011(0) ack 3729429281 win 5792 19:08:21.322645 IP 200.200.200.101.80 > 172.28.19.251.60531: S 1906927011:1906927011(0) ack 3729429281 win 5792 19:08:21.323695 IP 172.28.19.251.60531 > 200.200.200.101.80: . ack 1 win 46 19:08:21.323705 IP 172.28.19.251.60531 > 200.200.200.101.80: . ack 1 win 46 inbound traffic to server from client 172.28.19.101 (source ip is not translated) [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 19:20:00.870593 IP 172.28.19.101.42255 > 200.200.200.101.80: S 2723259595:2723259595(0) win 5840 19:20:00.870674 IP 200.200.200.10.42255 > 200.200.200.101.80: S 2723259595:2723259595(0) win 5840 19:20:00.871679 IP 200.200.200.101.80 > 200.200.200.10.42255: S 1391968267:1391968267(0) ack 2723259596 win 5792 19:20:00.871689 IP 200.200.200.101.80 > 172.28.19.101.42255: S 1391968267:1391968267(0) ack 2723259596 win 5792 19:20:00.872697 IP 172.28.19.101.42255 > 200.200.200.101.80: . ack 1 win 46 19:20:00.872707 IP 200.200.200.10.42255 > 200.200.200.101.80: . ack 1 win 46
