yawol icon indicating copy to clipboard operation
yawol copied to clipboard
verified publisher icon stackitcloud

LoadBalancer does not preserve source IP address, when forwarding TCP/UDP packets with externalTrafficPolicy=Local

Open gnarlex opened this issue 3 months ago • 1 comments

Expected behavior If my service object of type LoadBalancer has externalTrafficPolicy set to Local, the forwarded packets should preserve the original client source IP address.

Actual behavior TCP/UDP packets arriving at the pod have their source IP set to the LoadBalancer IP.

Context This is important for some protocols like STUN, that allows clients to discover their public IP address and the type of NAT they are behind.

Steps to reproduce

  1. Deploy a single replica deployment, running netcat on port 22333 (nc -lvk 22333)
  2. Service object, with type: LoadBalancer and externalTrafficPolicy: Local forwarding traffice to that deployment, port 22333
  3. Wait for IP to be assigned.
  4. On client, open netcat connection to server (nc -v $IP 22333)
  5. On the server, it should now display the IP for the respective loadbalancer (instead of the IP of the client).

gnarlex avatar Oct 14 '25 11:10 gnarlex

Hi @gnarlex thanks for reporting this issue.

This works as designed, as YAWOL is deploying an envoy proxy which does SNAT on the traffic. To work around this, you can enable the PROXY protocol: https://github.com/stackitcloud/yawol/blob/9e210e952eb33f5d09766f5d53dbcb185a2ae5c5/README.md?plain=1#L274-L275 (FYI: this only applies when using YAWOL directly, not when using the LBs provisioned by managed STACKIT Kubernetes Engine clusters. For STACKIT LBs please consult the official documentation)

Keep in mind that your application must be capable of parsing the PROXY protocol packets!

Kumm-Kai avatar Nov 10 '25 14:11 Kumm-Kai