Load Balancing without NAT

Forum|Forum|15 years ago
April 21, 2011
7 replies
7702 views

Hi, we configured Load Balancing on 311B In load balancing One virtual Server IP (EXT IP) and two Real Server INTIP1 and INTIP2 We define a policy from ANY to VirtualServer accept and NO NAT!! We notice that NAT is applyed however and in real server we lose information about original IP that are connecting to our server. We need load balancing and we need to have original client IP that are browsing our sites. It is possible to disable this implicit NAT??? any suggestion?

ede_pfau

SuperUser

Hi, there is no such thing like " implicit NAT" . A VIP does destination NAT (with or without L-B). The NAT checkbox in the policy does source NAT. Could it be that traffic uses a different policy? Is the NATted source address of the visiting hosts the IP address of the (external) interface?

A

Anonymous_UserAuthor

Contributor

Whit the command CLI diag sni .... we saw that apply the right policy , and the dia sni... command show also that SNAT is applied but no NAT setting in policy.

FortiRack_Eric

New Member

Load balancing is dynamic 1 to many destination NAT! There is an option to multiplex http requests over a single tcp connection and then preserve client IP.

A

Anonymous_UserAuthor

Contributor

the problem is that we get a source NAT and we don' t want a source nat assume our Virtual Server IP 192.168.1.250 real ip server1 192.168.2.251 real ip server2 192.168.2.252 Client 1.1.1.1 browse to 192.168.1.250 and load balancing send it to 192.168.2.251 (first available) when we give a look to 192.168.2.251 access log we saw a request from 192.161.1.250 to 192.168.2.251 and we LOSE the information of original ip 1.1.1.1 We tried also the option to preserve client IP but this information set client ip in http header X-forwarded-for the connection is natted and this is not good for us ... we needo to balance also non http server and send information about original source IP to the real server (mail, streaming,...)

ede_pfau

SuperUser

That looks more like a ' man-in-the-middle' situation than a source NAT. Do you scan HTTPS traffic using this VIP?

A

Anonymous_UserAuthor

Contributor

I think that is a bug in fortinet becouse we don' t want source NAT but when using virtaul server source nat seem to be implicit

wael

New Member

I am facing the same problem also, any solution??

rickards

New Member

Just curious if anyone has found a solution to this issue yet ?

enzy

New Member

Hi, I think something went wrong with the configuration of your VIP. Can you connect to the CLI and make the following configuration (make a backup first, etc etc ): config firewall vip edit name_of_your_vip set nat-source-vip disable end discription of that option: Enable to prevent unintended servers from using a virtual IP. The virtual IP will be used as the source IP address for connections from the server through the FortiGate unit. Disable to use the actual IP address of the server (or the FortiGate destination interface if using NAT) as the source address of connections from the server that pass through the FortiGate unit. Which is exactly what you are experiencing (source address gets translated to the VIP) this should fix your issue

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded