VIP for SMTP to see the real client ip.

Question

Hi all,&nbsp;
We have setup a VIP for port 25 and use the below irule together with data group to restrict the access.
But we do not see the real client ip addresses I guess because of SNAT.
Any suggestion to fix this?&nbsp;
/Jan&nbsp;
when CLIENT_ACCEPTED { &nbsp;
if {
    [class match [IP::client_addr] equals "SMTP_data_group"] }{
    pool smtp_inbound 
} else { 
      TCP::respond "550 message rejected - If you think this is an error report it to Global NOC"
      TCP::release
      TCP::close
      drop
      return 
  }
}&nbsp;

petewhite · Answer

when CLIENT_ACCEPTED {

if { [class match IP::addr [IP::client_addr] equals "SMTP_data_group"] }{ 
        pool smtp_inbound 
    } else { 
        TCP::respond "550 message rejected - If you think this is an error report it to Global NOC" TCP::release TCP::close drop return 
    } 
}

jan_rockstedt_4 · Answer

Hi Pete,&nbsp;
I am sorry for not explain the hole store.
I want to see the client addresses on the destination servers internally, via F5.&nbsp;
//Jan&nbsp;

petewhite · Answer

I see - if you want to SNAT then as you say you will lose the client IP address at the destination servers.

You can use an iRule to decide whether to SNAT or not but the only way out of using SNAT is to make the f5 your default gateway or use some other routing.

jan_rockstedt_4 · Answer

The internal routing will be fixed be our internal routers and send to the F5, as the internal serves do not have the F5 as the default gateway.&nbsp;
But the SNAT is stripping off the client IP to the servers, as it should do.
It would be nice to have a SMTP x-forward. :-)
I was reading about this problem for other users and some sugestions was using NAT instead of SNAT.
Any sugestion for a new irule or NAT?
We need to see the client ip addresses on the servers for security resonds.&nbsp;
//Jan&nbsp;

vitaliy_savrans · Answer

Hi Jan,
after you fixed routes to F5, go to:
Local Traffic/Virtual Servers/Virtual_server_name/Properties/

put "none" to Source Address Translation. You will see real client IP in logs of SMTP servers.
P.S. remember that in this case F5 must be default GW for smtp servers.

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

VIP for SMTP to see the real client ip.

6 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

SMTP Smugglers Blues

STARTTLS Server SMTP with cleartext and STARTTLS client support

SMTP Proxy

How to persist 'real' IP into Kubernetes

Introducing the F5 Threat Report: Strategic Threat Intelligence with Real-Time Industry and Technology Trends

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS