Forum Discussion
kbk491
Altostratus
AltostratusUsing an irule/other method to preserve source ip
Can anyone help me with an irule to preserve source ip address based on nodes being selected in a pool?
Thank you.
HamishCirrocumulus
Maybe I am not understanding the question.
But is there a reason you can't disable SNAT? Or do you mean selectively disable it?
H
kbk491so we can accomplish this by disabling snat? i didnt try that yet. Is that a valid method for this scenario? thanks
- kbk491
i have not talked to the server guys yet so it may or may not need selectively disabling so just preparing in advance in case it needs it, in that case i will need to create an irule right? Which is what i need help with.
- kbk491
so we have a working pool which is not in production and tried testing it with that by changing address translation from auto map (can rach the side from client with auto map on) to none and on the packet capture it seems to work as it should as the source is no longer getting translated but im no longer able to get to the website, im assuming i need to change something else to get it to work? By the way im using an ssl profile for both client and server side.
- Mayur_Sutare
MVP
Hi kbk491 ,
Just changing SNAT settings to none is not going to work here. In order to work this, you should have backend server default gateway pointed to the F5. Then only it will work or else it will create asymmetric routing issue and url won't work. It seems you are having the same issue.
To achieve your requirement,
1. You can enable XFF settings to preserve the true client IP when SNAT is enabled. Below article will help you on it.
https://support.f5.com/csp/article/K4816
2. If you want to try with disabling SNAT settings, then make sure backend app server default gateway is pointed to F5. But it will cause your internet traffic also sending to F5 first. So you need to take that into consideration.
Hope it helps!
- kbk491
So for option 1 in the article there is this part:
Configuring the web server to extract the IP address from the HTTP header
We have an oracle website hosted on cisco ucs blade chassis, so which of the above would be applicable?
- Mayur_Sutare
Hi kbk491
If you have a way to verify HTTP headers coming to your backend server from F5, then you should be able to see that true client ip in the HTTP Header when XFF is enabled on the F5 vServer.
