Forum Discussion
Martin_Vlasko
Altocumulus
AltocumulusPreserve original source IP with SNAT for SMTP
Hi guys,
Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again.
Our topology looks like: source -> firewall -> F5 LTM -> firewall -> router -> backend servers
I am trying to load balance SMTP but the server guys need to see the original source IP in order to allow or deny sending emails.
The problem is that I need to work with SNAT because the backend servers are far from the LB, behind another firewall and router. Their default gateway must be the one of the router.
If I keep the original source IPs, I would face asymmetric routing and the some firewall on the way back would kill the session.
We checked the backend SMTP server configuration and there is no other way to allow/deny sources there except of the IP addresses.
So can I load balance SMTP traffic with SNAT while somehow be able (on the backend server) to tell what was the original source IP?
Thanks.
- Kevin_Davies
MVP
haproxy's PROXY protocol https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt provides the solution to this problem.
This presents the clients real IP address as a line of data when establishing a connection to the SMTP server. The SMTP server has to support v1 of protocol and an iRule is written emulate the protocol on the backend connection.
This is the code for initiating a back-end connection to the SMTP server using this protocol
https://devcentral.f5.com/codeshare/proxy-protocol-initiatorThis is not required but listed for reference. If you ever need to receive PROXY protocol connections then this handles that as well.
https://devcentral.f5.com/codeshare/proxy-protocol-receiver
NatDoyleAltostratus
Gonna give this a go now thanks Kev
Lee_SutcliffeNacreous
This is certainly possible using X-Forwarded-For-HTTP headers: https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
Lee
- Lee_Sutcliffe
Actually, forget that I just re-read the question and realised you are using SMTP so X forwarded for wont work.
Sorry!
Martin_VlaskoYes exactly, I need it for SMTP, not HTTP. I know about X-Forwarded-For but this is of no use for SMTP.
JGCumulonimbus
Did they say what they needed client src ip addr for?
- Martin_Vlasko
They use the source IP to tell whether this IP is allowed to send emails or do something else on the backend server. They have a huge list of these IPs, it's configured on the backend server and only these IPs are allowed to use the server.
I could control it on the firewall, allow traffic only from these sources to LB VIP, but the list is huge and they change it quite often, hence they want to manage the list on their own.
- JG
You can put in an "acl" irule (plenty of examples on devcentral) which checks a data group file that contains all these IP addresses. Updating of that data group file can be automated.
- Martin_Vlasko
Hi Jie, Yes that could be a possibility but the Exchange guys don't want me to handle this list. They want to manage the list on their own. Personally I think they don't trust anything outside of their Exchange box. But I will propose this option to them anyway. thx
- JG
I wouldn't trust some of Microsoft product people myself, but that's me. But since they want to take the responsibility for their service, you can put in an automated process to fetch and update that file of theirs.
- Martin_Vlasko
Yes, exactly my words :)
