LTM config question

The point which is problematic is 5. because you need SNAT (server has no routing back through F5) and you do not inspect SSL traffic (point 3.), so the BIGIP cannot add a X-Forwarded-For header with client's source IP.

OK. So basically you are saying that without SSL offloading I cannot do client IP preservation using X-Forwarded-For header. Is there any alternate method available?

A couple of options...

1. Policy routing on the server so that packets FROM your service port are routed back to clients via the BigIP (No SNAT required)
2. Policy routing on your LAN switches/routers to forward traffic back to client via BigIP (No SNAT required)
3. Insert the original client IP into the TCP options header and have the server log THAT address and not the address of the tcp connection (Allows SNAT but requires the web server to be able to log the info from the tcp options instead of the actual TCP connection)

1 & 2 are probably more practical since you want to do SSH as well...

H

So options 2 sees more feasible I guess. SO this will maintain the client IP address all the way to the server and No requirements for XForwarder and SSL offloading on F5?

Which one is more feasible depends on which team (server or network) is more willing to do the policy routing.

I prefer server side myself...

Thanks folks! So what I understood is that this is achievable ....I will do these steps

1. Create VIP and associate application ports 80,443,22 with that VIP.
2. Create node (server IP) and listen on ports 80,443,22. Setup keepalive.
3. On VIP Profile : Do not use SNAT, automap default profiles for http default profile for https (no SSL offloading) no CA and Identity certificate reqd as Server will have the SSL certificate
4. Server does not use F5 as Gateway. L3 switch will be the DGW
5. On the Server L3 Switch configure policy for server source IP to use F5 LTM as next hop

Is there anythng else required on VIP , Node setup, elsewhere?

I have tried this every way I could using Policy routing on the L3 switch but it did not work. The only way I could make it work is using Aut-NAT with Policy Routing. But as far as I understand the Auto-NAT will not preserve client IP address. Not sure what to do!!!!

Have another go at the policy routing on the switch. And tcpdump on the server and BigIP to see if the packets are making it back to the BigIP on the SAME interface the packets are leaving from in the other direction (BigIP doesn't like async routing).

You could also try the policy routing on the host itself. On Linux it's real easy... You tag packets using ipfilters and then add a routing entry for the tagged packets...

H

Hi Hamish, will do dump as u suggested. I am sure that policy routing on L3 is doing its job and redirecting traffic back to f5 on it floating IP. Not sure why f5 does not accept it unless i turn on automap.

So with automap client ip will not be preserved, right? Do you think that my requirements will be better fulfilled with natlist (without VIP) ?