September 4, 2018 at 2:02 am #15382
You do not need source nat to be able to route traffic from external IP addressing to internal IP adressing. Basic routing is done on destination address, and as long as the ADC knows how to forward the traffic to your internal network (I suppose it has an interface in your internal network) it will work.
To forward traffic from the ADC to the servioce group, the destination address is altered. (Destination NAT). And that happens automatically when you have your ADC point the traffic to the IP addresses of the Envoy Proxy servers that are in your Service Group.
Lets say we use a client from the internet which has a source in the 200.x.y.z range.
And you service has a public IP address of 18.104.22.168
The VIP on the ADC is 10.0.0.100 and the Envoy server the traffic gets forwarded to has 192.168.0.100 a private address.
What you will see is that the external ip addressing is used for the outside session on the ADC and from the ADC without the Source-NAT it will only change the destination IP address.
From client on the internet to the ADC
external scr: 200.x.y.z
external dst: 22.214.171.124
From the ADC to the Envoy Proxy
internal scr: 200.x.y.z
internal dst: 192.168.0.100
So when the traffic needs to go back from the proxy to the client om the internet, it will use the 200.x.y.z as destination address.
Now you just need to make sure that that traffic passed from the Envoy Proxy through the A10 ADC back to the internet… when traffic returns over the A10 ADC, it will recognise the session and will Source-NAT it automatically back to the VIP address.
From the Envoy Proxy to the ADC
internal src: 192.168.0.100
internal dst: 200.x.y.z
From the ADC to the client on the internet
external src: 126.96.36.199
external dst: 200.x.y.zSeptember 4, 2018 at 7:23 am #15412
Thank you for the great answer but I can’t make it works.I have VIP with real external address and when disable Source-NAT to my internal network Virtual Service immediately refuses to work.In my routing table on the ADX side I have only one route from 0.0.0.0 /0 to my default gateway.Don’t know what to try :(September 4, 2018 at 7:37 am #15422
Ok, that is most likely because the Envoy proxies have a default gateway that is not the A10. Or maybe there is router between the A10 and the proxy?
You need to take a look at the proxy and see where it sends the traffic that needs to go back to the internet. Check it’s routing table.
If the Proxy and the A10 share the same broadcast domain, then you need to set the default gateway of the proxy to the A10 internal address. I assume you have VRRP-A setup, so set it to the floating address of your A10 cluster.
I assume this is the case as the A10 only has a default gateway set, and no specific routes for the internal network.
If there is one or more routers between the A10 and the proxy, you also need to make sure that those routers send the traffic in the right direction.
But, make sure that this does not break other traffic flows in your network.
Understand that if you do this, all traffic towards the internet from the proxy will go towards the A10.
So if there is a service on the proxy that needs to update things like signatures/URL Classification lists/or maybe needs to talk to other devices in your network that are not in a broadcast domain of one of the interfaces, you need to fix that as well. Maybe through specific routes or by enabling outbound NAT on the A10 for the proxies.
I would strongly suggest you contact the A10 Business partner or your A10 Systems Engineer/Account Team so they can assist you with finding out what the best approach is here.September 4, 2018 at 8:13 am #15432
Unfortunately we don’t have any support from A10 and this is pain.Our hosting company provide us AX1030 load balancer but it seems that they don’t know much about it’s configuration or they don’t want to do this.September 4, 2018 at 8:19 am #15442
Well, the routing part is not specific to A10.
The issue you are having getting the traffic back from the proxy to the A10, would be the same if you had any other equipment in place of the A10.
This is basic networking.
All they have to do is make sure the traffic from the Proxy is send back to the A10.
So the configuration of the proxy needs to change first… not the A10.
But of course you can always contact A10 to see who the contacts are in your region.
You could hire A10’s Professional Services team to have a look.September 6, 2018 at 1:28 pm #15512
In a common setup:
slb server PROXY1 <some_private_ip> stuff slb server PROXY2 <other_private_ip> stuff slb service-group MY_Proxy member PROXY1 <port/s> member PROXY2 <port/s> slb virtual-server MYVIP <some_public_ip> port <port/s> TCP service-group MY_PROXY
Client connects to <some_public_ip>, and the ADC does the NAT (Destination NAT, rather than SourceNAT) to the private IPs inside/behind the ACOS device.
So on the outside, you route to the public_IP, and on the inside, you set the ADC as the default gateway of the inside hosts.
For most topologies in use today (L3 Routed w/o SNAT, L3 Routed w/ SNAT, and L2 One Arm Mode), ACOS is doing DNAT.September 7, 2018 at 5:24 am #15522
Yes,I have totally the same configuration as you described.But traffic didn’t route from <some_public_ip> to some_private_network until I enable Soutce-NAT configuration.That’s my problem now.I have also two interfaces in my ADC, one with Public IP and another one with Private IP.Can you suggest some ideas ?September 7, 2018 at 5:28 am #15532
To understand what is going on, we need to have the interface configuration information from both the proxy and the A10 and the routing table on both.September 7, 2018 at 5:45 am #15542
Configuration on the server where Envoy proxy is installed:
2 interfaces – public – ip network 212.32.x.x and private – ip network 10.201.0.x.
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4
10.0.0.0 0.0.0.0 255.128.0.0 U 0 0 0 br-bdfaffd0acf2
10.201.0.0 0.0.0.0 255.255.252.0 U 0 0 0 eth5
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
188.8.131.52 0.0.0.0 255.255.255.192 U 0 0 0 eth4
Configuration on the ADC side:
2 interfaces – ethernet1 and ethernet2
ethernet1 – 212.32.x.x/27 – public interface with static ip which I use to access ADC web ui
ethernet2 – 10.201.0.250/22 private interface to communicate with private network.
Routing map on ADC:
0.0.0.0 0.0.0.0 184.108.40.206 ethernet 1 Static
220.127.116.11 255.255.255.224 0.0.0.0 ethernet 1 Connected
ADC was setuped in gateway mode.
VRRP-A isn’t used.
What else information do you need ?September 7, 2018 at 5:57 am #15552
If this route on the Envoy:
0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4
Points towards the IP address of the A10 ADC then it should work.
Unless something on your network is doing Proxy-ARP
As the A10 does not have interfaces in the private IP range, you need to point the:
slb server PROXY1 <some_private_ip> stuff slb server PROXY2 <other_private_ip> stuff
Towards the public IP of the Envoy servers.
Best is to do a packet trace on both the Envoy as well as on the A10 so you can exactly follow what is happening.September 7, 2018 at 6:01 am #15562
0.0.0.0 212.32.x.x 0.0.0.0 UG 0 0 0 eth4
No this route isn’t to ADC, it is to some device from our hoster,I’m now trying to get information from our hoster about what is it.So I assume this is our global issue.September 12, 2018 at 5:18 am #15642
Change the default gateway on the server with Envoy to A10 IP.Now I don’t know how to setup A10 in transparent mode,can you help ?September 12, 2018 at 5:58 am #15652
You do not need to set the A10 into transparent mode.
I’m afraid this is not something that can easily be fixed using the forum.
Somebody needs to have a look at the total setup suggest how all devices should be configured.
I strongly suggest you to contact an A10 account team in your region so they can discuss the options to solve this.
You can find local contact details here:
https://www.a10networks.com/company/contact-usSeptember 24, 2018 at 6:06 am #15882
Do you know if AX1030 ADC use HA Porxy PROXY protocol to send client IP trough TCP ?
I mean option Insert Client IP in Config Mode > SLB > Template > TCP Proxy.September 24, 2018 at 6:19 am #15892
Unfortunately, no, the A10 does not support the HA Proxy PROXY Protocol.
It could possibly be build in aFlex, but then requires the port type HTTP.
The option Client IP in the template TCP Proxy, uses the TCP Options.
You must be logged in to reply to this topic.