This isn't something that is broken and I need fix, it's actually something that is working but I don't understand how, and I would really like to know.
The setup: We have a Sonicwall 4500 as the gateway to our network. Behind that is a load balancer with a VIP setup pointing to two web servers. The VIP is accessible from outside with an IP different than the Sonicwall's public IP via an incoming NAT policy on the SW. There is no outgoing NAT setup.
Now, my question revolves around enabling IP spoofing (client impersonation) on the load balancer. With spoofing disabled I am able to connect to the web servers by way of the VIP's public IP from outside, or by just hitting the VIP directly while inside the network. Everything makes sense so far, the downside being that the web servers see all of their connections coming from the load balancer's internal IP rather than by the external addresses of the clients. This makes intuitive sense as the web servers would send their traffic back to the load balancer which would pass it on from there.
With IP spoofing enabled I am unable to hit the web servers by going through the VIP internally. This also makes intuitive sense to me because the web server would receive traffic that was marked as coming from an internal source (my PC in this case) and it would send its response traffic directly back to my PC rather than going through the load balancer. This would make the conversation fail as traffic coming back to my PC would have one of the web server's as a source, rather than the VIP which is what would be expected. We're all good so far.
The part I don't understand is that with spoofing enabled connections originating from outside the network can hit the VIP via incoming NAT and the conversation seems to work just fine. Now, I can watch the traffic come in and go out so I know that the web servers are sending their responses directly back to the SW rather than through the balancer. The Sonicwall forwards that traffic back to the external source. At the external source I see that the SW has rewritten the source as the public IP of the VIP, NOT the public IP of the Sonicwall so the conversation is able to take place.
After all that, how does the Sonicwall recognize that the traffic coming directly from the web server is part of the same conversation as the traffic it had forwarded to the load balancer's VIP? If I just send out a ping or something from the web servers the SW does not translate the source and the pings appear to come from the SW's public IP. What is the mechanic by which this works? Does that SW tack on some extra information that it uses to determine this kind of thing? Does it pay attention to the x-fowarded-for header that the LB tacks on?
Thanks to anyone who can satisfy my curiousity!
Brett