Forum Discussion
NimbostratusWeird SNAT Request?
Background information: Our current setup is the F5 exists as a single arm off a L3 switch, a /30 (192.168.1.1 & 192.168.1.2) between the switch and the F5 Self-IP. We have a static route for the VIP from the switch to the F5 (Route 172.32.6.1/32 --> 192.168.1.1). And a default route on the F5 towards the switch (Route 0.0.0.0/0 --> 192.168.1.2). Drawing Attached!
Problem: So we have an old application that requires the source address in order to work, but we need to load balance this application - but we also need replies coming from the application to get "masked" as the VIP. Maybe this will be explained easier:
IP Addresses: Incoming Client=10.10.10.8 Real Server =172.32.6.5 VIP=172.32.6.1 Self-IP=192.168.1.1
So basically we want the client to hit the VIP (172.32.6.1) and requests to get forwarded to the Real Server (172.32.6.5) and for the real server to see the source as the actual incoming client IP (10.10.10.8), but we want the replies leaving the real server to go back through the F5 via the self IP (192.168.1.1) and be forwarded to a set of various addresses with the source set as the VIP (172.32.6.1).
Traffic Flow: Client (S: 10.10.10.8 | D: 172.32.6.1 F5 VIP) --> F5 LB (S: 10.10.10.8 | D: 172.32.6.5 Real) --> Server (S: 10.10.10.8 | D: 192.168.1.1 F5 Self-IP) --> F5 LB (S: 172.32.6.1 | D: [unknown partners]) --> Partners [S: 172.32.6.1 ]
Does this make any sense? Is there an easier way to do it? Thanks guys!
1 Reply
Cory_50405Noctilucent
So you won't want to perform any SNAT on the BIG-IP virtual server in order for the server to see the original client IP address. If the server's default gateway is not set to go back through the BIG-IP, then you may need to enable policy based routing on your L3 switch. If this is a Cisco switch, it can be done by creating a route-map and setting a next hop of the BIG-IP for any traffic sourcing from the server IP address bound for the client.
