Preserving client IP address in any TCP session

When you use a reverse proxy like the F5 BIG-IP is, there's always a big discussion how to preserving the client ip address in any TCP session.

F5 has a document describing the different possibilities:

If the traffic is HTTP, you can use x-forwarded-for feature.
Note: For more information refer to: K4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT object
Preserving the client IP in layer 4 or layer 3.
Note: There is no option can be configured in the virtual server without disabling the SNAT. This is by design as BIG-IP acts a full-proxy in most cases.
Disabling SNAT is an option, which means no Address Translation occurs.
Note: You must ensure that servers will use F5 as the default gateway for replying back to the client, in order to prevent asymmetric routing.
If you are open to complex solution, you may use TCP Options to insert the client-IP into the TCP Header Options field.
Note: Configuring the BIG-IP to insert into the TCP header of a connection can be a complicated implementation can be found in DevCentral, or F5 professional services.
For more information refer to: DevCentral: Accessing TCP Options from iRules

You can finde the document here:

K12757773: Preserving client IP address in any TCP session

Another possible solution to the problem

You can use the Proxy Protocol to preserve a client’s IP address when that client’s connection passes through a proxy.

What is the Proxy Protocol? It is a network protocol for preserving a client’s IP address when the client’s TCP connection passes through a proxy. Without such a mechanism, proxies lose this information because they act as a surrogate for the client, relaying messages to the server but replacing the client’s IP address with their own. This distorts the logs of upstream servers because the logs incorrectly indicate that all traffic originated at the proxy.

See here: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address

This protocol is often used in Kubernetes clusters for preserving the source-ip address. In this case an external load balancer talks to the ingress controller with proxy protocol.

Link: https://kubernetes.io/docs/tutorials/services/source-ip/

F5 Container Ingress Service

F5 APM Microsoft Exchange 2016

F5 APM SSO Infos

Tuning the OneConnect Profile

Kerberos Delegation & Protocol Transition

BigIP DNS (Formerly GTM)

The Big-IP can be configured to use either tmm or mgmt interfaces for remote authentication (LDAP, TACACS, RADIUS, etc.) traffic.

Useful CLI commands F5

F5 fix Guided Configuration Installation

Flow Traffic TCP

Flow iRule Diagram (Event order)

Upgrade an Active-Standby Cluster

Preserving client IP address in any TCP session

Clearing the LCD and the Alarm LED remotely

APM: Variable Assign

F5 LTM TMSH Base Config

ASM Operation Manual

F5 iControlREST

F5 SNMP useful OIDs to monitor

F5 Programming

ASM Deployment

F5 REST-API (iControlREST)

F5 LTM Config Merge Procedure

F5 APM: Convert attribute values

VPN Client Troubleshooting

F5 Big-IP Advanced Troubleshooting

Send Logfiles to F5 Support and compress them

F5 Troubleshooting Links

F5 Monitoring Links

Preserving client IP address in any TCP session

Another possible solution to the problem

No Comments