Forum Discussion
4 Replies
- keithhubbEmployee
Unfortunately, there is not a way to send the client IP when using SNAT. I did find another DevCentral post that describes a work around.
 
How to pass client IP to member for ssh/sftp VIP
 
If you add this iRule to your SSH virtual server...
when LB_SELECTED { log local0.info [LB::server addr] "Client [IP::client_addr] connected to [LB::server addr]" }
Then on your SSH servers allow incoming syslog from the F5 and update your syslog configuration file /etc/syslogd.conf by adding the following line. This will send incoming logs from the iRule to the same log file that logs SSH authentication in Ubuntu at least. The actual file will vary depending on OS.
local0.info /var/log/auth.log
So everytime someone uses SSH to your virtual server they will get two log entries in auth.log on the linux system. One with the connection details showing the original IP address and another showing the login from the local SSH daemon.
- Tom_KNimbostratus
In this other post that you referred to - it suggests turning off automap and using the self ip address as the default gateway in the ssh server. My question is I have lots of self ip's and floating ip's, how do I choose which one to use if the original source IP address in not in any of the f5 self ip / floating IP networks ?
Your server must be in a network attached to the BIG-IP. Then its the floating IP of the egress network when the traffic leaves the F5 on its way to your server.
For example if your server was in the 172.31.10.0 network and the F5 had addresses of 172.31.10.5 (traffic-group-local-only) and 172.31.10.6 (traffic-group-1) then you would use 172.31.10.6 as the default route for your SSH server.