Change Source Address Translated IP to Original Client IP to backend server

Question

Client IP : 10.3.30.x accessing LB VIP:192.168.12.228 , Which is configured with Source Address Translation (Auto : IP -10.0.122.65/28) the request is forwarded to back-end server 10.0.138.60:5555 (Gateway is not LB).
Now if i take a capture in back-end server 10.0.138.60 definitely ill be able to see  10.0.122.65/28 as my source Contacting back-end server on port 5555 when client shoot some traffic. Requirement is that i need to see my original Client IP 10.3.30.x as my source IP @ my back-end server 10.0.138.60.&nbsp;
I have removed Source Address Translation from LB configuration and found that the end client is unable to access the VIP Due to the routing issue (as my Back-end server gateway is not LB).&nbsp;
Please suggest any way to met my requirement.&nbsp;

ryan_80361 · Answer

What protocol are you using on this virtual server? If it's HTTP, you can use the x-forwarded-for header.&nbsp;

ryannnnnnnnn · Answer

What protocol are you using on this virtual server? If it's HTTP, you can use the x-forwarded-for header.&nbsp;

stanislas_piro2 · Answer

there are 2 solutions :&nbsp;
if the protocol supports header insertion like http / https, you can insert an header with IP address!else, change your network design to make bigip as default route to support client real ip on server side

kai_wilke · Answer

Hi GSTN Infra Network Team,&nbsp;
Stanislas already provided you two solutions. I'd like to elaborate a little bit more on the second solution stanislas has provided. &nbsp;
For network environments with "more intelligent network equipment" its not mandatory to change the "DEFAULT-GW" configuration to pass every traffic towards your F5. &nbsp;
Depending on your equipment, you may utilize some PBR (Policy Based Routing) functionalities, to become able to route just the traffic comming from SRC=10.0.138.60 (Backend application) to DST=0.0.0.0/0 (you may also want to add DST exemptions) towards GW=10.0.122.65 (F5).&nbsp;
If PBR is not a applicable, you could also add an additional network interface and IP address on your F5 within the back-end server VLAN. In this case you would be able to configure the local routing table of the back-end server to pass traffic destined to 0.0.0.0/0 (you may also want to add some additional route for internal traffic) to the now locally connected F5.&nbsp;
Cheers, Kai&nbsp;

chandru_01 · Answer

You need to enable X-Forwarded-For in the HTTP profile settings. Make changes only in a newly created custom HTTP profile and not in the parent profile. Once the mentioned setting is enabled, you need to enable the X-Forwarder settings in the respective servers to capture the actual client IP.

Forum Discussion

Change Source Address Translated IP to Original Client IP to backend server

7 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 Distributed Cloud Origin Server Subset Rules

Radware config translation

GTM Translation

CSV to Address External Datagroup File

Decoding the IPv4 address from the persistence cookie