Forum Discussion

Robin_Daugherty's avatar
Robin_Daugherty
Icon for Nimbostratus rankNimbostratus
Aug 05, 2011

IPv4 nodes in pool for IPv6 Virtual Server

(Using an LTM running 10.2.0.)

 

 

 

I've just gotten IPv6 connectivity and started to add v6 configuration. Initially I created a new virtual server with an IPv6 address that corresponded to an existing IPv4 virtual server. I pointed it at the same pool, which contained only IPv4 nodes.

 

 

Source address on traffic to the IPv6 virtual server was the self IP of the BIGIP. This meant that my Apache config ACLs saw the traffic as "internal" and allowed requests without authentication.

 

 

 

It seems like a great feature that you can place v4 addresses in pools for v6 services and not have to add an internal v6 address to everything, but in my case it's very important that my access logs and ACLs work correctly. Is there any way to disallow IPv6-to-IPv4 translation in this manner?

 

config
design

3 Replies

Sort By
  • smp_86112's avatar
    smp_86112
    Icon for Cirrostratus rankCirrostratus
    Nov 10, 2011
    I wish I would have seen this sooner - I didn't realize there was an IPv6 forum.

     

     

    In case you haven't resolved this...

     

    Source address on traffic to the IPv6 virtual server was the self IP of the BIGIP

     

    Does that mean SNAT AutoMap is enabled on the IPv6 Virtual Server, but not the IPv4 Virtual Server? If that's true, then my first reaction is to recommend removing SNAT Automap from the IPv6 VIP. That will retain the source address when the request is forwarded to your web server. Of course that recommendation assumes some things about your environment. If you need SNAT Automap enabled, then I can think of a couple of different options. You can designate a specific IP address as a source, add it to a SNAT Pool, and use the SNAT Pool instead of Automap. You will then have to configure Apache to recognize this SNAT address as "external" and force authentication. Not sure how feasible that is...

     

     

    If the IPv6 virtual server requires SNAT Automap to be enabled, another option is to apply a customized HTTP profile to the IPv6 VIP. The customized HTTP profile would have the "Insert X-Forwarded-For" option enabled, which injects this HTTP header into the stream whose value is the true source client IP address. You would then need to modify your Apache logging to log the value of this additional header. That would reflect the true client address in your logs.
  • smp_86112's avatar
    smp_86112
    Icon for Cirrostratus rankCirrostratus
    Apr 10, 2015

    It will work if HTTPS is terminated on the LTM. If it is not, then there's no way for the LTM to decrypt the packet, insert the header, and re-encrypt.