How is this being accomplished? Outgoing NAT question. 1

[Kooch]

This isn't something that is broken and I need fix, it's actually something that is working but I don't understand how, and I would really like to know.

The setup: We have a Sonicwall 4500 as the gateway to our network. Behind that is a load balancer with a VIP setup pointing to two web servers. The VIP is accessible from outside with an IP different than the Sonicwall's public IP via an incoming NAT policy on the SW. There is no outgoing NAT setup.

Now, my question revolves around enabling IP spoofing (client impersonation) on the load balancer. With spoofing disabled I am able to connect to the web servers by way of the VIP's public IP from outside, or by just hitting the VIP directly while inside the network. Everything makes sense so far, the downside being that the web servers see all of their connections coming from the load balancer's internal IP rather than by the external addresses of the clients. This makes intuitive sense as the web servers would send their traffic back to the load balancer which would pass it on from there.

With IP spoofing enabled I am unable to hit the web servers by going through the VIP internally. This also makes intuitive sense to me because the web server would receive traffic that was marked as coming from an internal source (my PC in this case) and it would send its response traffic directly back to my PC rather than going through the load balancer. This would make the conversation fail as traffic coming back to my PC would have one of the web server's as a source, rather than the VIP which is what would be expected. We're all good so far.

The part I don't understand is that with spoofing enabled connections originating from outside the network can hit the VIP via incoming NAT and the conversation seems to work just fine. Now, I can watch the traffic come in and go out so I know that the web servers are sending their responses directly back to the SW rather than through the balancer. The Sonicwall forwards that traffic back to the external source. At the external source I see that the SW has rewritten the source as the public IP of the VIP, NOT the public IP of the Sonicwall so the conversation is able to take place.

After all that, how does the Sonicwall recognize that the traffic coming directly from the web server is part of the same conversation as the traffic it had forwarded to the load balancer's VIP? If I just send out a ping or something from the web servers the SW does not translate the source and the pings appear to come from the SW's public IP. What is the mechanic by which this works? Does that SW tack on some extra information that it uses to determine this kind of thing? Does it pay attention to the x-fowarded-for header that the LB tacks on?

Thanks to anyone who can satisfy my curiousity!

Brett

 

[Dinkytoy]

If you have used the public server wizard to create the NAT rules then there will be NAT rules created for inbound and outbound. I'm not familiar with the specifics of your load balancer but the ones we use require the VIP IP address to be used on the loopback adapter of the server. This means the server can source its' traffic from the the private VIP IP and the SW simply translates it back out via the outbound NAT.

Now it won't do this your ping packets is for two reasons. First that the NAT rules you probably have do not specifically have an outbound NAT for this changing the public IP over that port. Second the source IP used will be the primary IP address of the web server, not the loopback thus the SW will not use the NAT as the source IP is different.

Hope this makes sense.