Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

With SNAT Automap enabled Performance L4 VIP - How to know the real client IP address ?

As a server owner I would like to know the real client IP address of all the request which is coming to my Backend server from VIP , but SNAT Auto-map will change the client IP address to f5 floating IP . Is there any way we can apply irule or any other profile which will allow us to know the Actual client's IP address ?

0
Rate this Question
Comments on this Question
Comment made 1 month ago by dluzzi 76

Hello,

You can enable the X forward header in the HTTP profile assigned to the VS by enabling the Insert X-Forwarded-For checkbox.

You can also setup an iRule:

when HTTP_REQUEST { HTTP::header replace X-Forwarded-For [IP::client_addr] }

0
Comment made 1 month ago by Sajan Mania 72

Will this work for VIP with non http port ?

0
Comment made 1 month ago by James Rodgers 153

Yes, if it is still HTTP protocol, with an HTTP profile.

0
Comment made 1 month ago by Innovator 99

how can we obtain the real client ip address if i am running on performance layer 4 which doesn't use http profile and pass to the back end server.

0
Comment made 1 month ago by Sajan Mania 72

PLease check the below comment from rafaelbn

You could use an iRule to log to the big-ip internal syslog. After that you will need to get this information and correlate ir somehow.

when CLIENT_ACCEPTED { log local0. "Source IP: [IP::client_addr]" }

0
Comment made 1 month ago by James Rodgers 153

To correlate, you could try logging the server-side source port — [serverside {TCP::local_port}] — at the same time as the client-side source IP — [clientside {IP::remote_addr}]. I believe you can do this all when SERVER_CONNECTED. Like this (untested):

when SERVER_CONNECTED {
  log local0.info "Client [clientside {IP::remote_addr}] connected to [IP::server_addr]:[serverside {TCP::remote_port}] from port [serverside {TCP::local_port}]"
}
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The most common solution to this issue is to set up an X-Forwarded-For Header. Enabling this will tell the F5 to add in an HTTP Header that stores the original client IP address. There are a few ways to enable this on an F5, the most common being an iRule such as the one below:

when HTTP_REQUEST 
{ 
    HTTP::header insert X-Forwarded-For [IP::client_addr] 
}

or just enabling "Insert XFF" in your HTTP profile so that the F5 will do it for you. This article seems to be a perfect read for solving your issue.

If you have any more questions, I am sure I can help.

1
Comments on this Answer
Comment made 1 month ago by Sajan Mania 72

Will this work for VIP with non http port ?

0
Comment made 1 month ago by rafaelbn 344

Sajan,

Non HTTP port yes. Non HTTP protocol, no.

0
Comment made 1 month ago by Sajan Mania 72

ok , I have VIP config as below , Will it work or to make it work what changes I have to do ?

ltm virtual XYZ_VIP-6751 {

destination 10.10.10.97:6751

mask 255.255.255.255

pool XYZ_POOL-6751

profiles {

    fastL4 { }
}
source 0.0.0.0/0

source-address-translation {
    type automap
}

translate-address enabled
translate-port enabled
vs-index 363

}

0
Comment made 1 month ago by Rico 864

No, you dont have an HTTP profile because you are using a Performance L4

0
Comment made 1 month ago by Sajan Mania 72

what will be the solution in this case ? Some solution to find client IP address .

In F5 can we find archived connection logs ?

0
Comment made 1 month ago by rafaelbn 344

Sajan, the x-forward-for will only work for HTTP traffic. Is this VIP http? And F5 do not log/archive connections by default.

0
Comment made 1 month ago by Sajan Mania 72

rafaelbn thanks for your valuable comments.

ok If I want f5 to log the traffic for performance l4 vip with port 6751 which is not http traffic - how can I achieve it ?

0
Comment made 1 month ago by rafaelbn 344

You could use an iRule to log to the big-ip internal syslog. After that you will need to get this information and correlate ir somehow. I know that this not what you want to hear, but maybe a re-design would make things a bit easier.

The iRule would be something like this:

when CLIENT_ACCEPTED
{
    log local0. "Source IP: [IP::client_addr]"
}

Just to remember, after you log to the internal syslog, the information is good for just a few days. You'll have to extract it somehow. Cheers!

1
Comment made 1 month ago by Sajan Mania 72

re-design - how ?

0
Comment made 1 month ago by rafaelbn 344

If you can, make so your nodes use the BIG-IP as their defaul gateway. This way, the original client ip will be seen by the nodes. The issue you're having is due to SNAT.

1
Comment made 1 month ago by Sajan Mania 72

oh ok . I thought if we have to create new STANDARD VIP istead of performance L4 .

  • Ok I understood the problem with non http profile now .Thank you very much rafaelbn .Really appreciate it .
0
Comment made 1 month ago by rafaelbn 344

No worries! Best of luck. Please mark the threads as answered to help others and give the credits! Cheers!

0
Comment made 1 month ago by Sajan Mania 72

Hi @rafaelbn

Alternatively if we have a syslog server and instead of keeping the logs on the BIP_IP Load Balancer locally ,How can we capture the logs and send it to log server .

0