Forum Discussion
NimbostratusHow to change only IP packet's destination address?
Hi,
I have a SIP INVITE passing through my F5 which is load balancing my back-end servers, and I'm trying to change only the destination address of the IP packet. I need the source to stay the same as it was when received from the client.
When I've tried doing this via F5's configuration, the only things I can do are either change both the source and destination or niether. I can't seem to have only the destination address changed.
After reading a number of posts, I've tried achieving this via an iRule based on this post ... but now the SIP doesn't even get through. Any help would be greatly appreciated.
Kindest regards.
7 Replies
- SIP is a little complicated. If you change the destination address, you will have to change the via header as well to reflect your outside interface.
https://devcentral.f5.com/wiki/iRules.SIP__via.ashx
Try studying this iRule and see if it helps:
https://devcentral.f5.com/wiki/iRules.SIP_topology_hiding_and_forward_proxy.ashx
Also look here: https://devcentral.f5.com/community/group/aft/13134/asg/50 
smedakkar_85975Thank you for replying so soon. I should have said in my original post that I don't want to change anything in the SIP message at all. It's just the IP packet that I wish to change.
The end goal I'm trying to achieve is to leave the client's IP as-is but change the destination address to whichever node in the pool is selcted by the load balancer. I want to pass the SIP request unaltered to the back end servers.
I've tried using both the standard and fast-4 type of attributes to achieve this on my virtual server, but can't seem to get it to do what I need.
- By default, for a standard and FAST-L4 Virtual, if the packet is reaching the pool member, then address translation is already done. Do a capture on the server, if the packets are being picked up, and the server has a unicast IP address, then translation is occuring.
You would have to disable "Address translation" in the virtual properties for that to not occur.
Hope i am understanding the issue properly.
Thanks. - smedakkar_85975
Hi,
Thank you again for helping.
I've wireshark'd the backend server and looking at the received IP packet when the SIP INIVTE is received (over TCP), all I see is that either:
- the source address is the IP address of F5's service interface and the destination address is that of F5's virtual IP
- ...or, the source address is the client's IP address and the destination address is that of F5's virtual IP
If as you say, address translation is occuring, is there a way for me to control the address translation of the destination address, such that when the IP packet is received at the back end server, its :
- source address is the client's IP address and
- the destination address is that of the pool's node (back end server's).
It feels like this is a relatively straightforward task, but being new to F5, I'm starting to struggle.
- "the source address is the IP address of F5's service interface"
This means that you have SNAT automap configured on the virtual.
" and the destination address is that of F5's virtual IP"
This means that you have address translation DISABLED within virtual server properties.
"or, the source address is the client's IP address and the destination address is that of F5's virtual IP"
This means that SNAT is set to NONE and address translation is DISABLED.
Set the virtual to Standard, SNAT to NONE, and Address translation to ENABLED. This will give you packets at the backend server having Source address of the CLIENT and Destination address of backend server.
Send configuration of virtual if you can: fom CLI, logged in as root:
tmsh list ltm virtual all-properties
tmsh list ltm pool all-properties
if you login as admin, it dumps you into tmsh so use this:
list ltm virtual all-properties
list ltm pool all-properties
HTH - smedakkar_85975Hi John,
Firstly, thank you for this information. And apologies for not replying to you sooner.
You description of the configuration makes sense, but when I set the virtual to Standard, and SNAT to NONE, I don't actually get any SIP delivered to the back end server. I ran a wireshark trace and it looks like the TCP connection is established, but then torn down a few milliseconds later. I'm still investigating this and will update when I find out more.
Thank you again. - smedakkar_85975
Hi,
As per your advice, I've tested with setting the SNAT to None and enabling Address Translation. Unfortunately, I'm still getting the source address to be F5's service IP address, but the destination is correct (it is set to the real server's IP).
I've attached the output from the 2 commands you mentioned.
- tmsh list ltm virtual all-properties > virtual.txt
- tmsh list ltm pool all-properties > pool.txt
Thanks again.
