Meraki

Community

Send Internet user's public IP to LAN-side web server

Solved
AJ
Here to help
‎Sep 28 2023 6:39 AM
‎Sep 28 2023 6:39 AM

Send Internet user's public IP to LAN-side web server

I have a publicly accessible web server, and I'd like for it to receive all users' public IP addresses, rather than the firewall's address, so that it can attempt to cooldown and ban bad actors that try to hack a portal login. Other communities say that it's possible for some firewalls to replace the forwarded packet's IP with the user's real IP instead of forwarding its own IP address. Can this be done with a MX64?

 

I don't want to capture the HTTP_X header info, since that can be spoofed by the user. JS based answers mention that they can capture and send a client's IP address, but then it's usually a private one.

0 Kudos
1 Accepted Solution
In response to AJ
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 28 2023 8:55 AM
‎Sep 28 2023 8:55 AM

All 3 of the features mentioned work similarly. The MX is not altering the Source IP, it alters the destination IP. You just need to monitor the Source IP for the requests. The MX IP shouldn't be observed, and the only information to identify the MX would be the MACID since it is L2 between the web server and MX. Unless there is a Proxy involved I wouldn't expect to see anything but the public IP of the clients making the request. 

View solution in original post

4 Replies 4
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 28 2023 8:19 AM
‎Sep 28 2023 8:19 AM

If you are using port forwarding, 1:many, or 1:1 rules the mx will forward the public IP of the users, it would alter the destination IP from the Public IP to the Private IP of the server. The MACID would be altered since it is routed but assuming you are capturing the source IP it should be the public IP of the users. This assumes the website is behind an MX64. 

0 Kudos
AJ
Here to help
‎Sep 28 2023 8:45 AM
‎Sep 28 2023 8:45 AM

I may be looking at the wrong settings, but when I attempt to make a 1:1 NAT or 1:Many NAT, it wants me to set up a known public IP for use by an LAN device, but that's not what I need. I do have a port forwarding rule to get HTTP traffic from the WAN to the LAN web server, and of course the web server sees the firewall's IP as opposed to the user's IP. What I'm attempting to change on the incoming packets is the WAN user's IP, so the LAN web server can see that instead of the firewall IP.

0 Kudos
In response to AJ
leewalhovd
Meraki Employee
Meraki Employee
‎Sep 28 2023 8:55 AM
‎Sep 28 2023 8:55 AM

All 3 of the features mentioned work similarly. The MX is not altering the Source IP, it alters the destination IP. You just need to monitor the Source IP for the requests. The MX IP shouldn't be observed, and the only information to identify the MX would be the MACID since it is L2 between the web server and MX. Unless there is a Proxy involved I wouldn't expect to see anything but the public IP of the clients making the request. 

AJ
Here to help
‎Sep 28 2023 10:14 AM
‎Sep 28 2023 10:14 AM

I'm not sure what happened. Previously the only WAN public IP returned by PHP's $_SERVER['REMOTE_HOST'] was the firewall's. All LAN client private IPs were already visible. Now I'm suddenly seeing WAN client public IP's via that server variable. I didn't change anything on the MX.

 

Thank you for helping. You clarified that the MX is already configured as needed. I'm wondering if there's something in IIS that maybe mucking things up.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.