Loadbalancer

zetar

Hello everyone.
Sorry for not thanking the people who have responded in previous posts, but I've been away.
I do it now, thanks to everyone and administrator.
We come to the problem, I turned on the load balancer, it seems to work well, but it creates a problem, no longer able to access webmail, you always get an error:
You already have a session in garden you have to close it, even to send this post, I struggled.
Why, what's the problem.
Thanks.

skear

You probably need to enable sticky connections. HTTPS gets confused when requests come from different IPs during a session. In pfSense 2.0 this setting is found under System\advanced\miscellaneous. In 1.2.x the setting might have been in a slightly different location, I can't remember exactly but it is there.

zetar

Thank you for your reply, I already tried, but does not change immediately exit from webmail.
"Make sure you do not have MAIL Virgil opened in another tab or browser window.
Virgilio Mail continues to use the active window. "

stephenw10

You could add a firewall rule that directs all traffic with destination 'your web mail server' to only one gateway.
Of course you then won't get any load balancing for webmail or failover.

Steve

Nachtfalke

@stephenw10:

You could add a firewall rule that directs all traffic with destination 'your web mail server' to only one gateway.
Of course you then won't get any load balancing for webmail or failover.

Steve

If you do this with a static gateway, you are right, zhere will be no failover. This is not really elegant.

The better way is to create a second gateway group with different Tier for bothe lines and use this group as gateway in firewall rules. So if one line goes down it will use the other one. So you have failover and a kind of "stick connections".

Instread of sticky connections I would create an alias with https (443) rdp (3389) ssh (22) and use this as DESTINATION ports for the above created "failover" gateway group.

stephenw10

Yes that's a much better solution. Good call.

You may not want to include all https traffic though as not all sites have a problem with load balancing, gmail for example.
It would probably reduce user complaints though! ::)

Steve

Nachtfalke

You are right. Not all site have prolems with loadbalancing.
If you have 2 WAN interfaces, and a /24 subnet on LAN interface, you could create to failover groups for https and then half the subnet to /25 ans then route the first half to failover group 1 and the other half to failover group 2.

I think this is much easier to administrate than to route individual IPs and add them even if a user "cries" because he could not load a page ;)

zetar

Thanks for answers.
We simplify things, I do not care if it does not load balancing or failover, I just have a rule that I do not create problems with the webmail and https.
Please explain to me how I can do.
I have 3 WAN and LAN subnet / 22
Thanks.

stephenw10

If you don't care about failover for HTTPS traffic then:

Create a new firewall rule on your LAN interface


Proto 	Source 	   Port Destination Port Gateway Queue
tcp	LAN Subnet *	* 	    443  WAN1    none

Instead of WAN1 use which ever of your WANs is fastest or most reliable.

Crucially make sure this rule is above the load balancing rule and below the anti lockout rule.

If that works ok for you you could change it to a failover setup later.

Steve

zetar

thank you for your cooperation.
made the rule you attach a screenshot, but need not be the same.
Thanks.

Rules.png_thumb

stephenw10

That looks correct. Is it working?

zetar

hello, the same can not be closed immediately, the session will attach screenshots. of the entire page, I do not use port 443.
Thanks.

login.png_thumb
![Session out.png](/public/imported_attachments/1/Session out.png)

![Session out.png_thumb](/public/imported_attachments/1/Session out.png_thumb)

stephenw10

Hmmm,
Seems strange not to be using https.
You could still try adding a rule to send all traffic with destination mail.virgilio.it to one gateway.
You cannot enter a URL though you have to enter it as a single host: 212.48.10.165.

Steve

zetar

It should not be in any of the ways I've tried.
We do this, if I wanted to make an address on the LAN should be on a single gateway, that rule should apply, make me an example.
Thanks.

stephenw10

If you wanted to just have a single LAN address use one WAN then your rule should be:


Proto 	Source 	   Port Destination Port Gateway Queue
*	yourIP     *	* 	    *    WAN1    none

Steve

aries

my experience in virgilio.it that is not properly loaded or redirected is when i used squid with filtering…but i guess your not using squid and do some filtering right?

zetar

Thank you for your reply.
That rule works fine.
I do not think there is a solution to the problem in question, at least I have done many tests but have not solved, if the other ideas to try, I'd be happy to try.
Thanks again.

stephenw10

If you enable logging on that rule and then login to your webmail then you can check the logs to see exactly what connections are required. Then you can make a rule to fit that information.
Remember to turn off logging on the rule afterwards or you will quickly fill the logs.

Steve

zetar

@aries:

my experience in virgilio.it that is not properly loaded or redirected is when i used squid with filtering…but i guess your not using squid and do some filtering right?

I do not understand, do not use Squid.

stephenw10

It that from a packet capture?
You should probably remove it since it lists your own IP.

I had intended you to use the firewall log.

Anyway I can see your address performing a DNS lookup on three separate URLs.
www.virgilio.it, i.plug.it and secure-it.imrworldwide.com.

imrworldwide appears to be a vendor of tracking software so probably not needed.
This is not a complete log of your sign in so I can't tell you what rule you might use.

You need to turn on logging on your firewall LAN rule. Then log into your mail. Then look at the firewall logs.

Steve