Loadbalancing –-> failover
-
Due to the lack of sticky bit support in 1.2 I'm forcing some ports/protocols to one of my WAN links. Otherwise, I get a lot of failed authentication issues when requests are split over both links. Then I just load balance everything else. This works fine except when one of WAN links fails. I'm having some trouble coming up with a working config where it reverts from loadbalancing to FAILOVER in the event one of the links dies. Can someone point me in the right direction?
Thanks,
FG
-
Are you saying that if one wan fails your can't access the web? post your rules and pools
In many cases, just using fail over pools makes more sense.
-
Sorry. Perhaps I'm just being unclear. I'm using failover links per the instructions in the multiwan config wiki article. My issue when both links are up is that without sticky bits the users sometimes have trouble with authentication when some packets come from one wan link and other packets for the same session route over the opt link. So what I've done is to force https and ftp to always use the WAN link. If either one of the links goes down, normal http traffic is fine since the loadbalancer fails over to the working link. But if it is the WAN link that happens to fail, http traffic is fine, but https/ftp traffic fails. In the event the WAN link goes away, I guess I'm looking for a clean way to THEN route those protocols to the opt link until the WAN link comes back up. I hope that is more clear. In a perfect world, I'd just turn on sticky connections and the load balancer should take care of this automagically.
Best,
-
Yes ftp will not work http://forum.pfsense.org/index.php/topic,9293.0.html
but https should with a failover pool -
Ftp only doesnt work if you're using the ftp-helper.
If you disable the ftp-helper and allow all ports outbound even that "should" work with a failoverpool. -
Ftp only doesnt work if you're using the ftp-helper.
If you disable the ftp-helper and allow all ports outbound even that "should" work with a failoverpool.According to Hoba in the above referenced thread, ftp-helper MUST be enabled in a multiwan environment and it forces all FTP connections to the WAN interface. I guess I'll have to try some tests and see if this continues to work when the WAN link goes away in a loadbalanced config.
Cheers,
-
I think what GF are saying is without any loadbalancing.
So if you disable FTP helper on all the interfaces you could go with something like this
A dedicated pc is used for p2p where the loadbalaced pool is used (FTP will not work for it)
And I split users with CIDR. As a alternative alias could be used with a smaller set of users. -
Yes that's about what i meant.
You could also set something like this up:
rule1: source:lan ; sourceport:any ; destination:any ; destinationport: 80 ; gateway:Loadbalancing
rule2: source:lan ; sourceport:any ; destination:any ; destinationport: any ; gateway:FailoverOr replace the "destinationport: 80" in the first rule with an alias with all the protocol-ports you would like to balance.
Like this you default everything to failover only (like ftp) but have loadbalancing for all the services you use mostly want to balance (like http).
