cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Preserve Original Source IP thats not just Web Traffic

rmoss25
Altostratus
Altostratus

Hi,

Is there a way to preserve the original source IP of traffic passing through an LTM Virtual server? We have enabled the Insert X-Forwarded-For option in the HTTP profile and while this works for web traffic we have other traffic hitting the virtual servers that are outside of web traffic and need a way to preserve the source IP for incident handling purposed.

 

thanks

2 REPLIES 2

eey0re
Cirrostratus
Cirrostratus

Obviously other protocols don't have "X-Forwarded-For", so the only way to preserve the source IP is to actually preserve the source IP: turn off SNAT in the Virtual Server so that the source address is not translated.

 

This is a "routed" configuration, rather than a "SNAT" configuration, and means the backend server will see the connection as from the real client IP.

 

  • All the return traffic still needs to pass back through the BIG-IP, so the backend server must now use the BIG-IP's floating Self IP as its gateway. (For Internet traffic, this generally means the BIG-IP becomes the server's default route.)

 

  • The backend server therefore needs to be on the same subnet as a BIG-IP Self IP to be able to use it as a gateway.

 

  • The server still needs to be able to reach everything else that didn't come via the Virtual Server. Usually this means:
    • some more specific routes on the server to keep using its regular router, and/or
    • a wildcard Virtual Server on the BIG-IP of type "Forwarding (IP)" combined with appropriate routes on the BIG-IP so it knows where to forward to.

 

As you can see this is quite a different design. For more information see About Virtual Servers in the BIG-IP Local Traffic Management: Basics manual.

For SMTP there is a posible solution as it is similar to HTTP as it also has headers:

 

https://devcentral.f5.com/s/question/0D51T00006i7N6U/adding-xheader-to-smtp

 

 

For DNS there is th EDNS Client Subnet:

 

https://devcentral.f5.com/s/articles/using-client-subnet-in-dns-requests-31948