Forum Discussion

clayhawks_16572's avatar
Icon for Nimbostratus rankNimbostratus
Feb 28, 2012

Load balanced Telnet Servers - Pass through original IP or hostname?

I know what you're thinking. Did he fire 6 shots or only 5?






What I meant to say is - I know what you're thinking. What the heck is this guy doing load balancing telnet servers? Well as often happens in the world we work in, application folks made an initial request to have two telnet servers load balanced for our WMS. We explained carefully what the strengths and weaknesses are of this topology, including the fact that client IP addresses would be hidden because of SNAT functionality.





Now the application folks need to know the original IP address of a client request passing through the VIP. in this case, the telnet server is built by Pragma Systems...




Does anyone know of a way to create an iRule that will pass the original IP address of the telnet client? I've been browsing the forums and I see HTTP based rules that do that, but nothing that seems to match other protocols.




Thanks for listening!


5 Replies

  • Can you clarify if your backend servers are on an "internal" vlan; one that must pass through the Layer7 always?


    (Because you are using SNAT it would seem possibly that you aren't but I wanted to check).



    The trouble here is Layer7 sending a frame with an IP of the client on the header will cause the TCP stack on the server to try and respond to that ClientIP directly, bupassing the Layer7; The SNAT is a method to force the traffic to go back to the Layer7 -which re-writes the frame and TCP SYN number - beore sending the frame back to your client.



    One way to make your servers accept the ClientIP and respond without trouble is the "spoke" network setup: You setup a subnet that your servers have an IP in and the Layer7 has an IP in. Servers are configured to use the Layer7s IP in that subnet as the default gateway so all traffic flows from the Layer7 to the server and back again regardless of the source IP; you get to keep your load balancing AND pass the client IP without breaking TCP.



    hope this helps.
  • You have to turn off SNAT and route traffic from the Telnet servers back through the F5's, then the request will be from the remote host and you'll see the originating IP. For routing purposes you need to make sure traffic goes back through the F5's.



    If you set your default gateways on the Telnet servers to the F5's you may also want to create a routing VIP so it can get to the rest of your network.
  • There is also the multi-home host setup, but Advanced routing seems only to work well on RedHat *nix variants. (traffic from the Layer7 is forced back out the the ether that it came in on). The Hub spoke architecture works for all OSs though.
  • I don't know if this will help you. But try adding it as a new header and check if this will help your application folks :)
  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    Hmm.. Sorry, thought id replied to this one already, but apparently not.



    Theres no headers in telnet beyond some simple options for sending brk, etc. but with an irule you could snoop the login process and possibly set an environment variable from the irule, immediately after the login completes with the first shell prompt... Kind of like ssh client does to setup an X11 tunnel and DISPLAY environment variable.