I know this topic has been discussed in the forums multiple times, but I never found implementation details which dont' require iRules or putting the BigIP in bridging mode.
I would like to be able to load balance SMTP servers with LTM, and have the SMTP servers see the original IP address of the sender.
We have already changed the default gateway of the SMTP servers to the floating IP of the F5 units. I have SNAT Pool set to None, and Address Translation and Port Translation enabled.
When I connect with telnet to port 25 on the virtual server, the connection is quickly closed before I can even finish HELO.
It sounds like you have the configuration set up correctly to not do source address translation on LTM. Does it work if a real client tries to connect to the SMTP servers via the VIP?
I'd guess the SMTP server is closing the connection before you have a chance to send any data. You can get around this issue by using netcat from the LTM command line:
echo "my smtp commands" | nc VIP_IP VIP_PORT
Also, clients on the same subnet as the SMTP servers would not work as the SMTP servers would respond back directly to the clients--not to LTM.
Thanks for the tip Aaron. Netcat and wireshark helped identify the real problem.
My test servers was actually connected to an old Cisco load balancer. Even though we change the default route on the server, the Cisco sent the responses back to the firewall instead of the F5.
I also created a forwarding IP virtual server so we could access the real server.
Where do you want to see the original client IP address that you're not? Is it on LTM that you want to use the client IP for persisting? Or is it on the RDP servers that you want to see the client IP address? If so, are you using SNAT or some other method to translate the source IP address on connections from LTM to the pool?
I don't think there is any mechanism within RDP to pass the original client IP address to the server. If the clients and servers are not on the same network and you can change to servers' default gateway to LTM's self IP on their network, you could remove the SNAT from the VIP and have LTM use the client's IP address to establish the serverside connection.
I'm facing some similar problems with this "simple" type of configuration.
I have a VServer with public IP, Performance (http) type, with a pool with 1 server (private ip). No SNAT configured, so i guess i should see the client IP Address when someone "hits" the VServer.
The server has a way to see the client ip address and is always showing the F5 self ip of the internal vlan.
Physically, i have the following scenario:
[Router] --- [F5] ---- [FW] ---- [Server]
[Router] - [F5] -- Public IP
[F5] - [FW] - Private IP (routed zone)192.168.250.0/24
[FW] - [Server] - Private IP (DMZ) 10.100.149.0/24
If i have no SNAT configured in VServer, why is the packet arriving on the server with the source IP of the Self IP Address of F5 Internal Vlan ?
What i was hopping was to see the real ip clients o my webservers fo variuos proposes.(Statistics, control, security, etc...)
One of the ways the Perf HTTP profile improves performance is by performing source address translation and using OneConnect. If you need to preserve the original client IP address you could change to a standard HTTP profile and add a custom OneConnect profile with a 255.255.255.255 source mask. For details on the performance HTTP profile, try searching on AskF5.com. If you can't find relevant solutions, let me know.
I'm trying the same thing but with SSH instead of SMTP. I've pointed my servers to use the LTM floating IP as their GW and the Virtual Server SNAT Pool to None, AutoMap, and custom SNAT. In each attempt my client IP was logged as being one of the SNAT IPs. Could this be because I am configured on legged (all on one VLAN)?
Is there a way of getting this to work within a single VLAN, or do I need to have my Virtual Server in one VLAN and my server Pool and SNAT in a different VLAN? Any light on what I might be missing would be grateful.
Hi I'm facing the same problem as what Ray Sbrusch described, and I couldn't find a solution. I need the smtp server to see the actual client IP (at the same time traffic being loadbalanced) instead of the SNAT VIP so I can do accounting. Seems after I disable the SNAT, the loadbalancer doesn't even send the traffic to the SMTP server as I can't see any connection from actual client in the smtp monitoring page. I understand I can do a IP forwarding but that'll disable the laodbalancing.
I read the full conversation. I have a similar configuration to the customer but unfortunately has a SMTP load balance with SNAT enabled, the customer has other services configured in this way also, but for this particular SMTP VS would to allow to see the Original IP address by the SMTP real servers, I think for logging purposes.
Is it possible to add into the Virtual Server configuration a similar "X-Forwarded-For" but only for SMTP?
There's nothing in SMTP to allow that. But what you could do is set the client ip in one of the tcp option headers (See the devcentral iRUle page on TCP::options).
It's up to the software (i.e. the SMTP server) to pull that info though and use it.
A new question is probably a better way to go, this one has different questions together.
You might be able to stop using Source Address translation and get the real IP. But that depends on your network setup. Can you come up with a network diagram?
Beyond that there are no real options. someone suggests the TCP options, but that is a long shot, what is your SMTP server brand / vendor?
