Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

carl_townshend_'s avatar
carl_townshend_
Icon for Nimbostratus rankNimbostratus
Nov 14, 2018

IP Forwarding virtual server

Hi all We want to preserve the original IP address of the clients coming in on one of our virtual servers, this is for FTP connections. I believe this is done by an IP Forwarding virtual server and t...
application delivery
LTM
Philip_Jonsson's avatar
Philip_Jonsson
Icon for MVP rankMVP
Nov 14, 2018

Hey Carl

 

This all depends on how the networking (VLANs, Routes and Self-IP addresses is configured). When using a Forwarding IP VS, the BIG-IP will simply forward the traffic to the IP address configured in the Destination IP Address field of the virtual server. However, it will be stateful.

 

To give you an example using an external and internal VLAN, you would configure it the following way:

 

External VLAN

 

  • Self-IP Address: 10.10.1.31

Internal VLAN

 

  • Self-IP Address: 172.16.1.31

Virtual-Server

 

  • Destination IP Address: 172.16.1.100 (Same as FTP Server)
  • Destination Port: 21
  • VLANs and Tunnels: DO NOT Listen on Internal
  • SNAT Automap: Off

It is important you configure so that the VS does not "listen" on VLAN internal. This is because the BIG-IP will ARP for 172.16.1.100 if it does that on the internal VLAN you will end up with an IP conflict. So it is important you only listen on VLANS where you expect traffic will originate from

 

FTP Server

 

  • IP Address: 172.16.1.100
  • Port: 21
  • Default Gateway: 172.16.1.31

On the External Network Routing you add the following routing entry:

 

External Routing

 

destination 172.16.1.100 255.255.255.255 10.10.1.31

 

The traffic will flow the following way:

 

  1. Traffic originating from external with the destination of 172.16.1.100 will be routed to 10.10.1.31 (Self-IP of the BIG-IP)
  2. Since we have a virtual server (listener) on the BIG-IP for 172.16.1.100 it will pick up the traffic.
  3. The configuration on the virtual server state that it will not translate the client IP address (no SNAT), not translate the destination IP address or destination Port (standard for Forwarding IP type VS)
  4. The BIG-IP will review its routing table, traffic for 172.16.1.100 will be routed through VLAN internal since it is directly connected.
  5. Traffic arrives at the FTP server and since it uses the BIG-IP's self-IP address as default gateway, the return traffic will pass through the BIG-IP again.
  6. The BIG-IP will match the return traffic because it matches the session and send it back out on the external VLAN.

To read more about Forwarding IP VS's please check this article:

 

K7595: Overview of IP forwarding virtual servers

 

But that is one way of solving it. It all depends on how the environment is designed and configured.

 

I hope this helps!

 

Let me know if you have any further questions :).