cancel
Showing results for 
Search instead for 
Did you mean: 

Preserving Client IP address for SMTP traffic

Ray_Sbrusch_941
Nimbostratus
Nimbostratus
I know this topic has been discussed in the forums multiple times, but I never found implementation details which dont' require iRules or putting the BigIP in bridging mode.

 

 

I would like to be able to load balance SMTP servers with LTM, and have the SMTP servers see the original IP address of the sender.

 

 

We have already changed the default gateway of the SMTP servers to the floating IP of the F5 units. I have SNAT Pool set to None, and Address Translation and Port Translation enabled.

 

 

When I connect with telnet to port 25 on the virtual server, the connection is quickly closed before I can even finish HELO.

 

Can someone share implementation details?
18 REPLIES 18

hooleylist
Cirrostratus
Cirrostratus
It sounds like you have the configuration set up correctly to not do source address translation on LTM. Does it work if a real client tries to connect to the SMTP servers via the VIP?

 

 

I'd guess the SMTP server is closing the connection before you have a chance to send any data. You can get around this issue by using netcat from the LTM command line:

 

 

echo "my smtp commands" | nc VIP_IP VIP_PORT

 

 

Also, clients on the same subnet as the SMTP servers would not work as the SMTP servers would respond back directly to the clients--not to LTM.

 

 

Aaron

Ray_Sbrusch_941
Nimbostratus
Nimbostratus
Thanks for the tip Aaron. Netcat and wireshark helped identify the real problem.

 

 

My test servers was actually connected to an old Cisco load balancer. Even though we change the default route on the server, the Cisco sent the responses back to the firewall instead of the F5.

 

 

I also created a forwarding IP virtual server so we could access the real server.

hooleylist
Cirrostratus
Cirrostratus
Hi Ray,

 

 

Thanks for clarifying. Glad to see you got it working.

 

 

Aaron

Jeff_Lin_103364
Nimbostratus
Nimbostratus
Is there any SOP to make my client IP revealed in my windows terminal servers (TCP 3389 ,RDP) ? I am trying to load balancing them with F5 LTM.

hooleylist
Cirrostratus
Cirrostratus
Hi Jeff,

 

 

Where do you want to see the original client IP address that you're not? Is it on LTM that you want to use the client IP for persisting? Or is it on the RDP servers that you want to see the client IP address? If so, are you using SNAT or some other method to translate the source IP address on connections from LTM to the pool?

 

 

Aaron

Jeff_Lin_103364
Nimbostratus
Nimbostratus
Hi Aaron:

 

I am trying to make is revealed on RDP servers. I am using SNAT right now. I want to know if there are any other implements to make me achive RDP

 

server balancing and client IPs seeable on RDP real servers!

hooleylist
Cirrostratus
Cirrostratus
Hi Jeff,

 

 

I don't think there is any mechanism within RDP to pass the original client IP address to the server. If the clients and servers are not on the same network and you can change to servers' default gateway to LTM's self IP on their network, you could remove the SNAT from the VIP and have LTM use the client's IP address to establish the serverside connection.

 

 

Aaron

BPetronio_11363
Nimbostratus
Nimbostratus
Hello Aaron,

 

 

I'm facing some similar problems with this "simple" type of configuration.

 

 

I have a VServer with public IP, Performance (http) type, with a pool with 1 server (private ip). No SNAT configured, so i guess i should see the client IP Address when someone "hits" the VServer.

 

The server has a way to see the client ip address and is always showing the F5 self ip of the internal vlan.

 

 

Physically, i have the following scenario:

 

[Router] --- [F5] ---- [FW] ---- [Server]

 

 

[Router] - [F5] -- Public IP

 

[F5] - [FW] - Private IP (routed zone)192.168.250.0/24

 

[FW] - [Server] - Private IP (DMZ) 10.100.149.0/24

 

 

 

If i have no SNAT configured in VServer, why is the packet arriving on the server with the source IP of the Self IP Address of F5 Internal Vlan ?

 

 

What i was hopping was to see the real ip clients o my webservers fo variuos proposes.(Statistics, control, security, etc...)

 

 

Best Regards,

 

Bruno Petrónio

hooleylist
Cirrostratus
Cirrostratus
Hi Bruno,

 

 

One of the ways the Perf HTTP profile improves performance is by performing source address translation and using OneConnect. If you need to preserve the original client IP address you could change to a standard HTTP profile and add a custom OneConnect profile with a 255.255.255.255 source mask. For details on the performance HTTP profile, try searching on AskF5.com. If you can't find relevant solutions, let me know.

 

 

Thanks, Aaron

BPetronio_11363
Nimbostratus
Nimbostratus
Thanks Aaron,

 

 

 

I will try it tomorrow, and will feedback on here the result.

 

 

Best Regards,

 

Bruno Petrónio

BPetronio_11363
Nimbostratus
Nimbostratus
5 Stars.

 

 

Thanks.

Uriah_Queen_110
Nimbostratus
Nimbostratus
I'm trying the same thing but with SSH instead of SMTP. I've pointed my servers to use the LTM floating IP as their GW and the Virtual Server SNAT Pool to None, AutoMap, and custom SNAT. In each attempt my client IP was logged as being one of the SNAT IPs. Could this be because I am configured on legged (all on one VLAN)?

 

 

Is there a way of getting this to work within a single VLAN, or do I need to have my Virtual Server in one VLAN and my server Pool and SNAT in a different VLAN? Any light on what I might be missing would be grateful.

 

 

Thanks,

 

-uriah

Uriah_Queen_110
Nimbostratus
Nimbostratus
Ahhh, disabled SNAT on the Pool as opposed to disabling SNAT Pool...

Albert_C_3084
Nimbostratus
Nimbostratus
Hi I'm facing the same problem as what Ray Sbrusch described, and I couldn't find a solution. I need the smtp server to see the actual client IP (at the same time traffic being loadbalanced) instead of the SNAT VIP so I can do accounting. Seems after I disable the SNAT, the loadbalancer doesn't even send the traffic to the SMTP server as I can't see any connection from actual client in the smtp monitoring page. I understand I can do a IP forwarding but that'll disable the laodbalancing.

hooleylist
Cirrostratus
Cirrostratus
Hi Albert,

 

 

You could change the server's default gateway to be the LTM self IP address. Or you could use nPath (direct server return) to avoid needing SNAT.

 

 

Aaron

Fabrizio_Chiava
Nimbostratus
Nimbostratus
Hi,

 

I read the full conversation. I have a similar configuration to the customer but unfortunately has a SMTP load balance with SNAT enabled, the customer has other services configured in this way also, but for this particular SMTP VS would to allow to see the Original IP address by the SMTP real servers, I think for logging purposes.

 

 

Is it possible to add into the Virtual Server configuration a similar "X-Forwarded-For" but only for SMTP?

 

Thanks.

 

Regards

 

Fabrizio.

 

Hamish
Cirrocumulus
Cirrocumulus
There's nothing in SMTP to allow that. But what you could do is set the client ip in one of the tcp option headers (See the devcentral iRUle page on TCP::options).

 

 

It's up to the software (i.e. the SMTP server) to pull that info though and use it.

 

 

H

RAQS
Cirrus
Cirrus

Hi Ray,

I have similar requirement, can you please help me with the solution.

Requirement :- We have SMTP server which are getting load balance via F5 LTM and we want to see Client IP address instead of SNAT.

Regards,

Raqs