Forum Discussion
NimbostratusSNAT Pass the source IP to the sever
I have a Virtual Server, of SMTP protocol.
The problem is that in the log mail servers i see that all the connections are from the VS, and i cannot see the IP of the client.
So is there any way to pass the source Ip of the client to the mail server (thorugh the BIGIP)
I have configured the VS with SNAT in AUTO mode.
I don´t know how to solve this problems. Does anybody help me?
Thanks in advance
Best regards
12 Replies
Richard_Kim_270I don't think SNAT will pass source IP unless you use the X-Forwarded-For. Let's hear what the experts have to say.- SNAT replaces the client sourceIP.
X-Forwarded-For is an HTTP header than can be inserted in an HTTP request, but doesn't apply to SMTP traffic.
The best solution is to set the LTM floating self-IP on the mailserver-facing VLAN as the default gateway for the mailservers and disable the SNAT for the SMTP virtual server.
HTH
/deb - Do you have a case number where that information was given, Nacho? If appropriate that's something I'd like to chase up internally.
For SMTP I don't think it's going to be possible to pass the original client IP across in an iRule as there really isn't anywhere to put it.
For HTTP is possible because (as others have said) you can insert the IP into a header which you then configure the webserver to log, however SMTP doesn't have the concept of headers in the same way.
There is a possibility that I can see here:
If it's possible to configure your mailserver to log part of the actual message headers, rather than just the TCP connection details, it might be possible to insert an additional SMTP mail header (like an 'X-OriginalClient:' header).
However that ability would depend on what your MTA is and the iRule could well be quite complex (I can also see the potential to trip over the 4Mb data-collection limit in iRules).
--
Aaron 
Nacho_de_AguinaHere you have the case C323708- Thank you Nacho, I will have a word with the NSE in question regarding his advice;
I think he may have mentioned iRules with regard to saving the connection details out into a logfile on the LTM unit, rather than so that you can insert the original client IP address into the SMTP session (I will clarify that with him, however)
If you want to log these connections on the LTM rather than to have the original client IP logged on the mailserver then that is relatively straightforward to achieve on the LTM with an iRule along the lines of the following:rule log_smtp_connections { when SERVER_CONNECTED { log local0. "SMTP connection from [IP::client_addr]:[TCP::client_port]. \ Mapped to [serverside {IP::local_addr}]:[serverside {TCP::local_port}] \ -> [IP::server_addr]:[serverside {TCP::remote_port}]" } }
Which will produce log entries like the following in /var/log/ltm (examine the syslog configuration if you want to send it elsewhere, and specify the relevant facility and level in the log command):Jan 22 15:09:31 tmm tmm[1580]: Rule logger_rule : SMTP connection from 192.168.151.52:2540. Mapped to 10.0.220.1:2540 -> 10.0.0.10:25
As you can see, the various sections of that command are: [IP::client_addr] -- the original source IP
[TCP::client_port] -- the original source ephemeral
[serverside {IP::local_addr}] -- the SNAT source IP
[serverside {TCP::local_port}] -- the ephemeral source on the BIG-IP
[IP::server_addr] -- the node IP
[serverside {TCP::remote_port}] -- the node destination port (25)
I hope that helps.
--
Aaron - Nacho_de_AguinaOk thanks a lot
Brian_DeKemper_Aaron-
I am in the same boat as Nacho, only I am in fact doing HTTP (not SMTP). I researched this long ago and I remember hearing that, do do this, I'll need an iRule set up and I'll need an ISAPI filter installed on my webserver (that is going to be logging the source IP address).
Currently, because I have SNAT enabled, all my webservers are seeing the 'SOURCE ADDRESS' value as the value of my F5, and I need to pass on the true source address of our end users. Would you be able to assist with the iRule and the ISAPI filter?
Thanks,
Brian- JRahm
Admin
You don't need an iRule to insert the source IP with http. In the http profile, enable the field Insert XForwarded For. For the isapi filter, there are instructions for this:
https://tech.f5.com/home/solutions/sol4816.html Click here - Brian_DeKemper_
Thanks for the info. I went the link you provided and for IIS, it gave me the following steps, but I'm still not getting the source IP passed to the webserver. Any ideas?
1: Enable X-Forwarded-For
(I was able to 'enable' the Insert Xforward For in the HTTP profile that I use)
To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For header, perform the following procedure:
Log in to the BIG-IP Configuration utility.
Click Local Traffic.
Click Profiles.
Click HTTP from the Services drop-down menu.
Click the Create button.
Type a name for the HTTP profile.
Check the checkbox next to Insert XForwarded For.
A drop-down menu appears.
Select Enabled from the drop-down menu.
Click Finished.
2: Download the ISAPI Filter and install on IIS webserver
(I was able to download this and I am using the ISAPI filter in the top-level 'RELEASE' folder when I add it to my IIS website. Let me know if I need to use a different ISAPI filter for my Windows 2003, 32-Bit webserver.)
You can configure the IIS web server to extract the IP address from the X-Forwarded-For header and log the IP address to the web server log file. To do so, you will need to download and install the IIS X-Forwarded-For ISAPI Log Filter from https://cdn.f5.com/websites/devcentral.f5.com/downloads/F5XForwardedFor.zip.
The IIS ISAPI filter will look for the X-Forwarded-For header in the HTTP request. If the IIS ISAPI filter finds an X-Forwarded-For header in the HTTP request, it will replace the client IP address in the W3SVC log traces with the value of the X-Forwarded-For header.
To download and install the IIS X-Forwarded-For ISAPI Log Filter, perform the following procedure:
Log on to http://devcentral.f5.com.
Select iControl Code Share from the Downloads menu.
Download the IIS Proxy X-Forwarded-For Log Filter.
To install the ISAPI filter, add it to your IIS Web Site using the IIS administrative utility.
3: Configure iRule
(the IP wasn't showing up in my IIS logs after the first two steps above, so I also setup this iRule for my virtual servers)
iRule
To configure the BIG-IP system to insert the original client IP address in a header using an iRule, perform the following procedure:
Log in to the BIG-IP Configuration utility.
Click Local Traffic.
Click iRules.
Click the Create button.
Type a name in the Name field.
Copy and paste the following iRule in the Definition field:
when HTTP_REQUEST {
HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr]
}
draco_184361Hey
So for loadbalancing smtp server , we can choose http profile with tcp 25 and enable x forwarder in http profile?doesn't it require smtp profile to understand the smtp traffic ?
- jforakerDoes anyone know the configuration needed on an iplanet/sun one webserver to log the X-Forwarded-For variable?
Thanks,
Jeff
