Forum Discussion
Chris_Phillips
Nimbostratus
Nimbostratusunique snat address with minimal overhead
Hi,
One of our pairs of F5's sits infront of a firewall which in turn is infront of the servers. we have a lot of clients hitting virtual servers and need to retain visibilty of the client ip's onwards past the big-ip's for debugging and logging etc... at the same time we still need to snat the ip address on the big-ips as otherwise the firewall can't distinguish between forwarded LTM traffic or direct hits.
As such i am thinking that the best way is to write an irule that can basically convert any ip into a manually translatable address that is still unique. as this is likely to be used on 95% of the traffic running through the box I am keen to ensure the overhead is as low as possible.
My thoughts initially would be to do a bit flip on the first bit of the address. i.e. do a logical AND with 127.0.0.0 so 10.xy.z. would emerge as 137.x.y.z and 192.168.y.x would emerge as 64.168.y.z (if my maths is right there...) this potentially seems simpler than adding 1 to the first octet as it's doing it at a lower level, but here's where i'd like to open it to the floor for either a basic principle or example iRule to do this sort of thing with the absolute minimum of impact where possible.
hope this makes sense.
cheers
Chris
- Well, my first question would be, is there a reason that you can't just include the original IP address in a header and have the back-end application look for it there? This is done all the time with HTTP requests using the X-Forwarded-For header.
Colin 
Chris_Phillipshi,
while the majority of traffic is likely to http there is still a lot of stuff that is not. rdp, ldap etc... the main purpose of this is to pass through a chekcpoint IP1220 firewall, so the logic is to be able to put basic rulesets on the boxes to allow the converted ip addresses and not the original ones. the focus is not on the virtual server or the nodes it is balancing against but how to keep a sembalance of generic low level security in that network.
thanks
chris- Chris_Phillipshi,
Is anyone able to comment further on this? I've got this basic irule which seems to do the job fine
but would still possibly like to remove the intermediate variables and such.when CLIENT_ACCEPTED { scan [IP::client_addr] "%d.%s" a bcd snat [expr $a ^ 128 ].$bcd }
thanks
Chris
