Forum Discussion

Martin_Vlasko's avatar
Martin_Vlasko
Icon for Altocumulus rankAltocumulus
Jul 28, 2015

Preserve original source IP with SNAT for SMTP

Hi guys,

 

Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again.

 

Our topology looks like: source -> firewall -> F5 LTM -> firewall -> router -> backend servers

 

I am trying to load balance SMTP but the server guys need to see the original source IP in order to allow or deny sending emails.

 

The problem is that I need to work with SNAT because the backend servers are far from the LB, behind another firewall and router. Their default gateway must be the one of the router.

 

If I keep the original source IPs, I would face asymmetric routing and the some firewall on the way back would kill the session.

 

We checked the backend SMTP server configuration and there is no other way to allow/deny sources there except of the IP addresses.

 

So can I load balance SMTP traffic with SNAT while somehow be able (on the backend server) to tell what was the original source IP?

 

Thanks.

 

application delivery
deployment
design
LTM
snat
x-forwarded-for

13 Replies

Sort By
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Jul 28, 2015

    Actually, forget that I just re-read the question and realised you are using SMTP so X forwarded for wont work.

     

    Sorry!

     

  • Martin_Vlasko's avatar
    Martin_Vlasko
    Icon for Altocumulus rankAltocumulus
    Jul 29, 2015

    Yes exactly, I need it for SMTP, not HTTP. I know about X-Forwarded-For but this is of no use for SMTP.

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jul 29, 2015

    Did they say what they needed client src ip addr for?

     

  • Martin_Vlasko's avatar
    Martin_Vlasko
    Icon for Altocumulus rankAltocumulus
    Jul 29, 2015

    They use the source IP to tell whether this IP is allowed to send emails or do something else on the backend server. They have a huge list of these IPs, it's configured on the backend server and only these IPs are allowed to use the server.

     

    I could control it on the firewall, allow traffic only from these sources to LB VIP, but the list is huge and they change it quite often, hence they want to manage the list on their own.

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jul 30, 2015

    You can put in an "acl" irule (plenty of examples on devcentral) which checks a data group file that contains all these IP addresses. Updating of that data group file can be automated.

     

  • Martin_Vlasko's avatar
    Martin_Vlasko
    Icon for Altocumulus rankAltocumulus
    Aug 04, 2015

    Hi Jie, Yes that could be a possibility but the Exchange guys don't want me to handle this list. They want to manage the list on their own. Personally I think they don't trust anything outside of their Exchange box. But I will propose this option to them anyway. thx

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 05, 2015

    I wouldn't trust some of Microsoft product people myself, but that's me. But since they want to take the responsibility for their service, you can put in an automated process to fetch and update that file of theirs.