SNAT is not working in a one-arm configuration.

Beginner-T · ‎18-Jul-2023

Thank you for all advice.

Now we are testing by configuring the BIG-IP VE with the one-arm as shown below, I want to connect a word press server via Big-ip VE LTM Version: 17.1.0.1.

We can success to connect to VIP(10.200.6.1), But when "Word press server" 's page is changed, The communication cannot be established without routing to the real server(10.100.100.0/24), And the URL displayed in the browser changes from "http://10.200.6.1/" to "http://10.100.100.200/sample-page/". Why is that?

I added SNAT(10.200.6.1) settings and set Automap, but the result is the same.
Am I missing any settings? Is there anything else I should check?

KeesvandenBos · ‎19-Jul-2023

Could you add the follow irule to the virtual server?

when HTTP_REQUEST {
   # Disable the stream filter for client requests
   STREAM::disable
}
when HTTP_RESPONSE {
    # Disable the stream filter for server responses
    STREAM::disable
# Enable the stream filter for text responses only

 if {([HTTP::status] == 200) && ([HTTP::header value Content-Type] starts_with "text")} {
  # Replace '10.100.100.200' with '10.200.6.1'
  STREAM::expression {@10.100.100.200@10.200.6.1@}
  # Enable the stream filter
  STREAM::enable
 }
}

View solution in original post

CA_Valli · ‎18-Jul-2023

Altough F5 is deployed in a one-arm configuration, it might be helpful to separate client- and server- side connections to understand the flow better.

Your client x.x.x.x requests HTTP page via the VIP, accessing http://10.200.6.1
F5 accepts connection, selects WP server 10.100.100.200 as a destination and opens a new server-side connection to that IP.

Let's discuss the NAT scenario:
- Without SNAT, client x.x.x.x address isn't changed ;
- with automap, client x.x.x.x address is NAT-ed via the egress interface IP
- with a custom NAT pool, you can set 10.200.6.1 as NAT address

In first scenario, server response will be routed to x.x.x.x directly, unless you have a route that points to F5. I believe this might be one of the reasons your URL changes, but I'm not sure about it.
In second and third scenario, traffic will return via F5. In this case, F5 should forward server response through client-side connection in a transparent way, and client should only see 10.200.6.1 in the url. In one-arm setups, NAT is often applied to "force" symmetric traffic return through F5. I believe it might suit your environment too.

When you update WP server page, it should not affect how F5 processes this traffic. As long as you access an existing uri (via Virtual Server IP) you should be able to see WP page.

Beginner-T · ‎18-Jul-2023

Thank you for the reply.

First, I wanted to use BIG-IP VE to route the communication after page transitions through a load balancer (LB), similar to the second or third scenario.

However, even after configuring SNAT and Automap, it seems like the pages are still directly accessing the WP servers.

I checked Looking at the ” Module Statistics : Local Traffic ›› SNATs”, it's all zero,
so SNAT may not have been applied.

KeesvandenBos · ‎18-Jul-2023

Could you post the outcome of curl -v http://10.200.6.1/ ??

Cheers,
Kees

Beginner-T · ‎18-Jul-2023

Thank you for the reply.

I applied the curl -v http://10.200.6.1/ from the client PC

* Trying 10.200.6.1:80...
* Connected to 10.200.6.1 (10.200.6.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.200.6.1
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.20.1
< Date: Wed, 19 Jul 2023 00:54:17 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/8.1.14
< Link: <http://10.100.100.200/wp-json/>; rel="https://api.w.org/"
<
<!DOCTYPE html>
<html lang="en-US">
<head>

Paulius · ‎18-Jul-2023

@Beginner-T It appears that your server is sending a response to the client telling them to connect to "http://10.100.100.200/wp-json" and that is most likely the cause of your issue. If you opened developer tools on the client side you should see that arriving on your machine. You might see if you can change that response to a relative path rather than the literal host of "10.100.100.200" and see if that fixes your issue.

KeesvandenBos · ‎19-Jul-2023

Could you add the follow irule to the virtual server?

when HTTP_REQUEST {
   # Disable the stream filter for client requests
   STREAM::disable
}
when HTTP_RESPONSE {
    # Disable the stream filter for server responses
    STREAM::disable
# Enable the stream filter for text responses only

 if {([HTTP::status] == 200) && ([HTTP::header value Content-Type] starts_with "text")} {
  # Replace '10.100.100.200' with '10.200.6.1'
  STREAM::expression {@10.100.100.200@10.200.6.1@}
  # Enable the stream filter
  STREAM::enable
 }
}

Beginner-T · ‎20-Jul-2023

Thank you so much.

I resolved the issue using your answer's iRule.

KeesvandenBos · ‎21-Jul-2023

Your welcome.
But be aware, this will only work if you access the website on IP address.
This irule will work if you access the website on DNS name.

when HTTP_REQUEST {
   # Disable the stream filter for client requests
   set orig_host [HTTP::host]
   STREAM::disable
}
when HTTP_RESPONSE {
    # Disable the stream filter for server responses
    STREAM::disable
# Enable the stream filter for text responses only

 if {([HTTP::status] == 200) && ([HTTP::header value Content-Type] starts_with "text")} {
  # Replace '10.100.100.200' with 'host header'
  STREAM::expression {@10.100.100.200@$orig_host@}
  # Enable the stream filter
  STREAM::enable
 }
}

Paulius · ‎18-Jul-2023

@Beginner-T Would you mind sharing the configuration of the virtual server so we can have a better understanding of what's going on? Please also provide the configuration of any options you have configured such as profiles, irules, and so on.

Beginner-T · ‎18-Jul-2023

Thank you for your cooperation.

Could you please help me identify my mistake by looking at the configuration screen?

DevCentral

SNAT is not working in a one-arm configuration.

MFA required on DevCentral