Forum Discussion

moulingi_138795's avatar
moulingi_138795
Icon for Nimbostratus rankNimbostratus
Dec 31, 2013

SNAT and Forwarding (IP) virtual servers

Hi

 

In following topology:

 

(Network) ==> Firewall ==> LTM ==> Servers

 

I've setup a 'forwarding (IP)' virtual server on the LTM to handle at once Servers=>Network traffic and Network=>Servers traffic. I recently had to setup SNAT to enble servers to connect to 'regular Virtual server' on that using pool of servers in the same vlan. Since SNAT has been setup, I can see that SNAT is applied on all sessions from the servers to the Network. This obviously cause an issue with firewall but also with some protocol like FTP.

 

Any idea why SNAT is applied and how to disable it in this case ? (no pool in 'Forwarding (IP)'... no way to disable SNAT !!)

 

I get ride of this problem by updating the virtual server from 'forwarding (IP)' to 'Performance(Layer4)' now using a pool that contain the firewall cluster address and without SNAT (I also had to create an other 'forwarding (IP)' virtual server to handle Network=>Server traffic).

 

Thank you in advance for your comment !!

 

Gilles

 

APM
design
security

5 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 31, 2013

    I recently had to setup SNAT to enble servers to connect to 'regular Virtual server' on that using pool of servers in the same vlan.

     

    how did you setup snat? was it snat under regular virtual server configuration or snat list?

     

    if it was snat list, can you try to use snat under regular virtual server configuration instead?

     

  • moulingi_138795's avatar
    moulingi_138795
    Icon for Nimbostratus rankNimbostratus
    Dec 31, 2013

    Snat is configured by snat lists (1 entry per real server so we can still find in servers log which was the original client, knowing the translation matrix).

     

    If I do setup snat at 'Virtual server' level, Snat will then apply for all connections hitting that VIP... So I will loose the real clients IP addresses in servers logs... right ?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 31, 2013

    If I do setup snat at 'Virtual server' level, Snat will then apply for all connections hitting that VIP... So I will loose the real clients IP addresses in servers logs... right ?

     

    yes but you can use x-forwarded-for http header.

     

    sol4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT

     

    http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

     

    otherwise, you have to selective snat using irule or configure like what you did.

     

    Selective SNAT

     

    https://devcentral.f5.com/wiki/irules.selectivesnat.ashx

     

  • moulingi_138795's avatar
    moulingi_138795
    Icon for Nimbostratus rankNimbostratus
    Dec 31, 2013

    I don't really like the first option, especially because we don't have only HTTP on that LTM ;)

     

    I will investigate second option which seam easy to understand/setup.

     

    Thank you

     

  • moulingi_138795's avatar
    moulingi_138795
    Icon for Nimbostratus rankNimbostratus
    Jan 02, 2014

    iRule seem to be the best option... and works as expected. I'm still trying to find a way of keeping the information on the original source adresses. Following iRule would do the job, but it's not working (on a LTM v10.2.4) :

    when LB_SELECTED {

    if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {

    set osaddr IP::client_addr

    scan $osaddr %d.%d.%d.%d ip1 ip2 ip3 ip4

    set tsaddr 192.168.10.$ip4

    snat $tsaddr

    }

    }

    Any idea how to achive that ?

    NB : I also tried to split the original source address with: 

    set ip4 [lindex [split $ip "."] 3]
    Not working either 😞