Forum Discussion
NimbostratusSNAT and Forwarding (IP) virtual servers
Hi
In following topology:
(Network) ==> Firewall ==> LTM ==> Servers
I've setup a 'forwarding (IP)' virtual server on the LTM to handle at once Servers=>Network traffic and Network=>Servers traffic. I recently had to setup SNAT to enble servers to connect to 'regular Virtual server' on that using pool of servers in the same vlan. Since SNAT has been setup, I can see that SNAT is applied on all sessions from the servers to the Network. This obviously cause an issue with firewall but also with some protocol like FTP.
Any idea why SNAT is applied and how to disable it in this case ? (no pool in 'Forwarding (IP)'... no way to disable SNAT !!)
I get ride of this problem by updating the virtual server from 'forwarding (IP)' to 'Performance(Layer4)' now using a pool that contain the firewall cluster address and without SNAT (I also had to create an other 'forwarding (IP)' virtual server to handle Network=>Server traffic).
Thank you in advance for your comment !!
Gilles
5 Replies
- nitass
Employee
I recently had to setup SNAT to enble servers to connect to 'regular Virtual server' on that using pool of servers in the same vlan.
how did you setup snat? was it snat under regular virtual server configuration or snat list?
if it was snat list, can you try to use snat under regular virtual server configuration instead?
moulingi_138795Snat is configured by snat lists (1 entry per real server so we can still find in servers log which was the original client, knowing the translation matrix).
If I do setup snat at 'Virtual server' level, Snat will then apply for all connections hitting that VIP... So I will loose the real clients IP addresses in servers logs... right ?
- nitass
If I do setup snat at 'Virtual server' level, Snat will then apply for all connections hitting that VIP... So I will loose the real clients IP addresses in servers logs... right ?
yes but you can use x-forwarded-for http header.
sol4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT
http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.htmlotherwise, you have to selective snat using irule or configure like what you did.
Selective SNAT
https://devcentral.f5.com/wiki/irules.selectivesnat.ashx - moulingi_138795
I don't really like the first option, especially because we don't have only HTTP on that LTM ;)
I will investigate second option which seam easy to understand/setup.
Thank you
- moulingi_138795
iRule seem to be the best option... and works as expected. I'm still trying to find a way of keeping the information on the original source adresses. Following iRule would do the job, but it's not working (on a LTM v10.2.4) :
when LB_SELECTED {if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {set osaddr IP::client_addrscan $osaddr %d.%d.%d.%d ip1 ip2 ip3 ip4set tsaddr 192.168.10.$ip4snat $tsaddr}}Any idea how to achive that ?
NB : I also tried to split the original source address with:
Not working either 😞set ip4 [lindex [split $ip "."] 3]
