Forum Discussion
coda6_52611
Nimbostratus
NimbostratusSMTP, Client IP Preservation and multiple Virtual Servers
I understand that to preserve the source IP address of an SMTP client I need to turn off SNAT and have the gateway of the Exchange servers set to the virtual servers IP.
BUT, I have multiple virtual servers pointing to those Exchange boxes. How would I prevent asymmetrical routing from occurring for the other virtual servers?
Any ideas would be appreciated.
Thanks
hoolioCirrostratus
Hi Coda,
If you point the servers default gateway to the LTM floating self on their VLAN it should work fine without SNAT. The servers will respond to the original client IP address but use the MAC address associated with the LTM floating self IP to send the responses.
Aaron
coda6_52611Hoolio,
I have three VS, with three different IPs in that vlan, those VS also point to some of the physical servers that I'm trying to keep client IPs on. If I change default gateway on the physical servers, doesn't that create asymmetrical routing issues?
Thanks,
Ken- hoolioDo you mean that the servers themselves are accessing a VIP they're a pool member for? If so, you could still set their default gateway to the LTM floating self IP and then apply a SNAT from an iRule only when the client and server addresses are on the same subnet:
http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT
If that's not what you mean, can you clarify?
Thanks, Aaron - coda6_52611Here is what we have, 1 VLAN with our SMTP servers.
There are five physical servers A, B, C, D and E.
There are 3 pools, Pool 1 has A and C as members, Pool 2 has B, C and D and Pool 3 has A, C and E.
I'm going to name the virtual servers with their last IP octet, so we have VS-193, VS-197 and VS-196. Pool 1 is associetd with VS-193, Pool 2 with VS-197 and Pool 3 with VS-196.
I would like the traffic flowing to VS-196 to keep it's source IP address, the exchange admins want to begin whitelisting/blacklisting applications using that VS.
If I change servers A, C and E's default gateways to the VS-196 address, wont the requests coming in on VS-193 and VS-197 to the A, C and E servers, leave on the VS-196 ip and mess with the traffic?
I don't know if that helped or not.... - coda6_52611I attached a logical diagram of the environment.
- hoolioIf you change all of the servers' default gateways to LTM's floating self IP (not any virtual server IP address), this will work so long as there aren't any clients on the same subnet as the servers making requests to the VIPs. If there are any clients on the same subnet as the servers, then you'd need to use SNAT. You could enable SNAT just for those clients using an iRule.
If this isn't in production yet, try it and see if it works. If it is in production maybe you can create a test VIP and remove one of the servers from the production pool(s) to test it.
Also, the diagram you uploaded doesn't seem to be attached to the post.
Aaron - coda6_52611That makes sense. I was confiusing the VS virtual IP with the LTMs floating IP.
I have this environment stood up in the lab with two physical servers and it's working.
Thank you.