Real Ip address for non http servers

Question

Hi Team &nbsp;
I have a situation which i am try to solve , basically i have non-http service hosted behind my load balancers here. currently the servers are not in a vlan attached to f5 , so using SNAT to make it work.
and currently the VIP is a Performace L4 VIP with SNAT enabled.&nbsp;
and now the application team needs the Real IP address of their clients and as its not http i am unable to change the VIP type to standard and apply a http profile with "x-forwarded for" enabled.&nbsp;
and the application team does not want to move their server vlan to vlan behind the load balancer.&nbsp;
any possibility with irules , if yes please help me .&nbsp;
many thanks in advance &nbsp;
S&nbsp;

mhite_60883 · Answer

Sounds like you'll have to look at DSR (direct server return) or VXLAN.&nbsp;
DSR over a routed network:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/6.html&nbsp;
VXLAN:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-4-0/10.html&nbsp;
It's also possible to implement "proxy-protocol" using an iRule (I have done it in the past). Your application developers would need to accomodate this on the server side. See:&nbsp;
https://aws.amazon.com/blogs/aws/elastic-load-balancing-adds-support-for-proxy-protocol/&nbsp;
https://devcentral.f5.com/questions/proxy-protocol-irule-implementation&nbsp;

mike_rochford_1 · Answer

Could you provide more information around the irule creation?

what_lies_bene1 · Answer

You do also have these options;&nbsp;
1) Adjust your routing so that the return traffic passes through the F5s (possibly in combination with a VRF)&nbsp;
2) Use Policy Based Routing (PBR)&nbsp;
3) Connect your F5 directly to the VLAN in question (assuming that is physically and logically possible) and use static routes on the servers to ensure return traffic goes through it&nbsp;
Either way, its seems like a huge amount of work and added complexity to accommodate your server team. Rather than looking for a technical solution, I'd say it would be worth talking to them again and explaining your challenge and the downsides of all these solutions.&nbsp;

solmon · Answer

indeed it is a complex situation , due to their current vlan which is multicast capable they are unwilling to move to an inline f5 vlan , have asked them to get additional NIC so that they can have MC and LB capabilites both.&nbsp;
thank you for you for the kind responses.&nbsp;
much appreciated. &nbsp;

Forum Discussion

Real Ip address for non http servers

4 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

SNAT IP address logging

Real Attack Stories: Bank Gets DDoS Attacked

Real Attack Stories: DDoS Against Email Provider