Passing client IP's for FTP
Our FTP server(behind our f5) has an auto ban feature that is blocking the self ip address of F5 after multiple invalid logins. This in turn blocks all FTP traffic. I have use x-forwarder-for in the past but I cant seem to find the equivalent for FTP. Our workaround is to not auto ban IP addresses but this is a security risk. My solution is to move from Automap/SNAT to None (Routed Mode) and make the F5 the default gateway of the SFTP server (This would pass the real client IP at Layer 3). I seem to have a hit a roadblock on how to exactly do that. Current Config EXT listener (F5 virtual server) 10.10.10.181 > Pool Member (ftp server) 192.168.66.3 Self IP of F5 192.168.1.3 How would I specifically configure the Virtual Forwarding (IP) VS so it sends traffic destined for 10.10.10.181 to 192.168.66.3 while passing the real IP address? Do I need to create a static route on my router since the F5 and server are on different VLANs. When I set the DG to the self IP of F5 all traffic dies to that server (as expected). Any help is appreciated!769Views0likes1CommentVS and NAT precedence
Hi, I was under impression that when there is NAT and VS defined (both matching incoming packet) then VS always wins. That is the case for SNAT - except when Source Address Translation is set to None on VS and matching SNAT object exists. But still for SNAT there is full control if SNAT should be used or not (even if SNAT is None on VS, we can set Allow SNAT No on Pool). Problem is that there seems to be no such control for NAT. Scenario: Network VS Forwarding (IP) type Source Address: 10.1.20.252/32 Destination Address/Mask: 192.168.104.0/24 Service Port: All Source Address Translation: None Enabled On: VLAN int NAT object Origin Address: 10.1.20.252 NAT Address: 10.128.11.51 Host sending traffic to 192.168.104.0/24 subnet Host IP: 10.1.20.252 - matching both NAT Origin Address and VS Source Address Def GW: BIG-IP Self IP on VLAN int Result: All traffic leaving BIG-IP on VLAN ext has src IP NATed to 10.128.11.51 (NAT Address). What's more, looking and NAT and VS stats it's obvious that traffic is processed by both VS and NAT (same packet count reported on both). Wonder if it is expected behavior? If so it seems that there is no way to prevent NATing src IP for such configuration - only way is to set NAT object to disabled - seems to be a little drastic solution. Piotr305Views0likes1CommentVS and NAT precedence
Hi, I was under impression that when there is NAT and VS defined (both matching incoming packet) then VS always wins. That is the case for SNAT - except when Source Address Translation is set to None on VS and matching SNAT object exists. But still for SNAT there is full control if SNAT should be used or not (even if SNAT is None on VS, we can set Allow SNAT No on Pool). Problem is that there seems to be no such control for NAT. Scenario: Network VS Forwarding (IP) type Source Address: 10.1.20.252/32 Destination Address/Mask: 192.168.104.0/24 Service Port: All Source Address Translation: None Enabled On: VLAN int NAT object Origin Address: 10.1.20.252 NAT Address: 10.128.11.51 Host sending traffic to 192.168.104.0/24 subnet Host IP: 10.1.20.252 - matching both NAT Origin Address and VS Source Address Def GW: BIG-IP Self IP on VLAN int Result: All traffic leaving BIG-IP on VLAN ext has src IP NATed to 10.128.11.51 (NAT Address). What's more, looking and NAT and VS stats it's obvious that traffic is processed by both VS and NAT (same packet count reported on both). Wonder if it is expected behavior? If so it seems that there is no way to prevent NATing src IP for such configuration - only way is to set NAT object to disabled - seems to be a little drastic solution. Piotr169Views0likes0Comments