TCP-proxy Client-IP

Community Forum Forums Thunder and AX Series General TCP-proxy Client-IP

Tagged: ,

This topic contains 29 replies, has 3 voices, and was last updated by avatar diederik 3 months, 4 weeks ago.

Viewing 15 posts - 16 through 30 (of 30 total)
  • Author
    Posts
  • #15382
    avatar
    diederik
    Member

    You do not need source nat to be able to route traffic from external IP addressing to internal IP adressing. Basic routing is done on destination address, and as long as the ADC knows how to forward the traffic to your internal network (I suppose it has an interface in your internal network) it will work.

    To forward traffic from the ADC to the servioce group, the destination address is altered. (Destination NAT). And that happens automatically when you have your ADC point the traffic to the IP addresses of the Envoy Proxy servers that are in your Service Group.

    Lets say we use a client from the internet which has a source in the 200.x.y.z range.
    And you service has a public IP address of 100.0.0.100

    The VIP on the ADC is 10.0.0.100 and the Envoy server the traffic gets forwarded to has 192.168.0.100 a private address.

    What you will see is that the external ip addressing is used for the outside session on the ADC and from the ADC without the Source-NAT it will only change the destination IP address.

    From client on the internet to the ADC
    external scr: 200.x.y.z
    external dst: 100.0.0.100

    From the ADC to the Envoy Proxy
    internal scr: 200.x.y.z
    internal dst: 192.168.0.100

    So when the traffic needs to go back from the proxy to the client om the internet, it will use the 200.x.y.z as destination address.
    Now you just need to make sure that that traffic passed from the Envoy Proxy through the A10 ADC back to the internet… when traffic returns over the A10 ADC, it will recognise the session and will Source-NAT it automatically back to the VIP address.

    From the Envoy Proxy to the ADC
    internal src: 192.168.0.100
    internal dst: 200.x.y.z

    From the ADC to the client on the internet
    external src: 100.0.0.100
    external dst: 200.x.y.z

    #15412
    avatar
    flaneur
    Member

    Thank you for the great answer but I can’t make it works.I have VIP with real external address and when disable Source-NAT to my internal network Virtual Service immediately refuses to work.In my routing table on the ADX side I have only one route from 0.0.0.0 /0 to my default gateway.Don’t know what to try :(

    #15422
    avatar
    diederik
    Member

    Ok, that is most likely because the Envoy proxies have a default gateway that is not the A10. Or maybe there is router between the A10 and the proxy?

    You need to take a look at the proxy and see where it sends the traffic that needs to go back to the internet. Check it’s routing table.

    If the Proxy and the A10 share the same broadcast domain, then you need to set the default gateway of the proxy to the A10 internal address. I assume you have VRRP-A setup, so set it to the floating address of your A10 cluster.
    I assume this is the case as the A10 only has a default gateway set, and no specific routes for the internal network.

    If there is one or more routers between the A10 and the proxy, you also need to make sure that those routers send the traffic in the right direction.

    But, make sure that this does not break other traffic flows in your network.

    Understand that if you do this, all traffic towards the internet from the proxy will go towards the A10.
    So if there is a service on the proxy that needs to update things like signatures/URL Classification lists/or maybe needs to talk to other devices in your network that are not in a broadcast domain of one of the interfaces, you need to fix that as well. Maybe through specific routes or by enabling outbound NAT on the A10 for the proxies.

    I would strongly suggest you contact the A10 Business partner or your A10 Systems Engineer/Account Team so they can assist you with finding out what the best approach is here.

    #15432
    avatar
    flaneur
    Member

    Unfortunately we don’t have any support from A10 and this is pain.Our hosting company provide us AX1030 load balancer but it seems that they don’t know much about it’s configuration or they don’t want to do this.

    #15442
    avatar
    diederik
    Member

    Well, the routing part is not specific to A10.
    The issue you are having getting the traffic back from the proxy to the A10, would be the same if you had any other equipment in place of the A10.
    This is basic networking.

    All they have to do is make sure the traffic from the Proxy is send back to the A10.
    So the configuration of the proxy needs to change first… not the A10.

    But of course you can always contact A10 to see who the contacts are in your region.
    You could hire A10’s Professional Services team to have a look.

    #15512
    avatar
    ericn
    Member

    In a common setup:

    slb server PROXY1 <some_private_ip>
      stuff
    slb server PROXY2 <other_private_ip>
       stuff
    slb service-group MY_Proxy
       member PROXY1 <port/s>
       member PROXY2 <port/s>
    slb virtual-server MYVIP <some_public_ip>
       port <port/s> TCP
          service-group MY_PROXY

    Client connects to <some_public_ip>, and the ADC does the NAT (Destination NAT, rather than SourceNAT) to the private IPs inside/behind the ACOS device.

    So on the outside, you route to the public_IP, and on the inside, you set the ADC as the default gateway of the inside hosts.

    For most topologies in use today (L3 Routed w/o SNAT, L3 Routed w/ SNAT, and L2 One Arm Mode), ACOS is doing DNAT.

    #15522
    avatar
    flaneur
    Member

    Yes,I have totally the same configuration as you described.But traffic didn’t route from <some_public_ip> to some_private_network until I enable Soutce-NAT configuration.That’s my problem now.I have also two interfaces in my ADC, one with Public IP and another one with Private IP.Can you suggest some ideas ?

    #15532
    avatar
    diederik
    Member

    To understand what is going on, we need to have the interface configuration information from both the proxy and the A10 and the routing table on both.

    #15542
    avatar
    flaneur
    Member

    Configuration on the server where Envoy proxy is installed:
    2 interfaces – public – ip network 212.32.x.x and private – ip network 10.201.0.x.
    routing table:
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4
    10.0.0.0 0.0.0.0 255.128.0.0 U 0 0 0 br-bdfaffd0acf2
    10.201.0.0 0.0.0.0 255.255.252.0 U 0 0 0 eth5
    172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
    212.32.252.64 0.0.0.0 255.255.255.192 U 0 0 0 eth4

    Configuration on the ADC side:
    2 interfaces – ethernet1 and ethernet2
    ethernet1 – 212.32.x.x/27 – public interface with static ip which I use to access ADC web ui
    ethernet2 – 10.201.0.250/22 private interface to communicate with private network.
    Routing map on ADC:
    0.0.0.0 0.0.0.0 212.32.252.158 ethernet 1 Static
    212.32.252.128 255.255.255.224 0.0.0.0 ethernet 1 Connected
    ADC was setuped in gateway mode.
    VRRP-A isn’t used.
    What else information do you need ?

    #15552
    avatar
    diederik
    Member

    If this route on the Envoy:
    0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4

    Points towards the IP address of the A10 ADC then it should work.
    Unless something on your network is doing Proxy-ARP

    As the A10 does not have interfaces in the private IP range, you need to point the:

    slb server PROXY1 <some_private_ip>
      stuff
    slb server PROXY2 <other_private_ip>
       stuff

    Towards the public IP of the Envoy servers.

    Best is to do a packet trace on both the Envoy as well as on the A10 so you can exactly follow what is happening.

    #15562
    avatar
    flaneur
    Member

    0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4

    No this route isn’t to ADC, it is to some device from our hoster,I’m now trying to get information from our hoster about what is it.So I assume this is our global issue.

    #15642
    avatar
    flaneur
    Member

    Change the default gateway on the server with Envoy to A10 IP.Now I don’t know how to setup A10 in transparent mode,can you help ?

    #15652
    avatar
    diederik
    Member

    You do not need to set the A10 into transparent mode.
    I’m afraid this is not something that can easily be fixed using the forum.

    Somebody needs to have a look at the total setup suggest how all devices should be configured.

    I strongly suggest you to contact an A10 account team in your region so they can discuss the options to solve this.

    You can find local contact details here:
    https://www.a10networks.com/company/contact-us

    #15882
    avatar
    flaneur
    Member

    Do you know if AX1030 ADC use HA Porxy PROXY protocol to send client IP trough TCP ?
    I mean option Insert Client IP in Config Mode > SLB > Template > TCP Proxy.

    #15892
    avatar
    diederik
    Member

    Unfortunately, no, the A10 does not support the HA Proxy PROXY Protocol.

    It could possibly be build in aFlex, but then requires the port type HTTP.

    The option Client IP in the template TCP Proxy, uses the TCP Options.
    https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml

Viewing 15 posts - 16 through 30 (of 30 total)

You must be logged in to reply to this topic.

Comments are closed.