Forum Discussion
Justin_Nelson
Nimbostratus
NimbostratusPassing client IP's for FTP
Our FTP server(behind our f5) has an auto ban feature that is blocking the self ip address of F5 after multiple invalid logins. This in turn blocks all FTP traffic. I have use x-forwarder-for in the past but I cant seem to find the equivalent for FTP. Our workaround is to not auto ban IP addresses but this is a security risk.
My solution is to move from Automap/SNAT to None (Routed Mode) and make the F5 the default gateway of the SFTP server (This would pass the real client IP at Layer 3).
I seem to have a hit a roadblock on how to exactly do that.
Current Config EXT listener (F5 virtual server) 10.10.10.181 > Pool Member (ftp server) 192.168.66.3 Self IP of F5 192.168.1.3
How would I specifically configure the Virtual Forwarding (IP) VS so it sends traffic destined for 10.10.10.181 to 192.168.66.3 while passing the real IP address?
Do I need to create a static route on my router since the F5 and server are on different VLANs. When I set the DG to the self IP of F5 all traffic dies to that server (as expected).
Any help is appreciated!
Imagine you have more and less this topology
(F5)-(Router)-(FTP)
One approach:
- One static route in the F5 to reach de FTP server
- Configure FTP gateway to use your router IP
- Configure a PBR (policy base routing) in the router to send all traffic which comes from FTP server to the F5
With this idea you should have end-to-end communication between your FTP and clients.
