Loadbalancer
-
You could add a firewall rule that directs all traffic with destination 'your web mail server' to only one gateway.
Of course you then won't get any load balancing for webmail or failover.Steve
-
You could add a firewall rule that directs all traffic with destination 'your web mail server' to only one gateway.
Of course you then won't get any load balancing for webmail or failover.Steve
If you do this with a static gateway, you are right, zhere will be no failover. This is not really elegant.
The better way is to create a second gateway group with different Tier for bothe lines and use this group as gateway in firewall rules. So if one line goes down it will use the other one. So you have failover and a kind of "stick connections".
Instread of sticky connections I would create an alias with https (443) rdp (3389) ssh (22) and use this as DESTINATION ports for the above created "failover" gateway group.
-
Yes that's a much better solution. Good call.
You may not want to include all https traffic though as not all sites have a problem with load balancing, gmail for example.
It would probably reduce user complaints though! ::)Steve
-
You are right. Not all site have prolems with loadbalancing.
If you have 2 WAN interfaces, and a /24 subnet on LAN interface, you could create to failover groups for https and then half the subnet to /25 ans then route the first half to failover group 1 and the other half to failover group 2.I think this is much easier to administrate than to route individual IPs and add them even if a user "cries" because he could not load a page ;)
-
Thanks for answers.
We simplify things, I do not care if it does not load balancing or failover, I just have a rule that I do not create problems with the webmail and https.
Please explain to me how I can do.
I have 3 WAN and LAN subnet / 22
Thanks. -
If you don't care about failover for HTTPS traffic then:
Create a new firewall rule on your LAN interface
Proto Source Port Destination Port Gateway Queue tcp LAN Subnet * * 443 WAN1 noneInstead of WAN1 use which ever of your WANs is fastest or most reliable.
Crucially make sure this rule is above the load balancing rule and below the anti lockout rule.
If that works ok for you you could change it to a failover setup later.
Steve
-
thank you for your cooperation.
made the rule you attach a screenshot, but need not be the same.
Thanks.
-
That looks correct. Is it working?
-
hello, the same can not be closed immediately, the session will attach screenshots. of the entire page, I do not use port 443.
Thanks.
 -
Hmmm,
Seems strange not to be using https.
You could still try adding a rule to send all traffic with destination mail.virgilio.it to one gateway.
You cannot enter a URL though you have to enter it as a single host: 212.48.10.165.Steve
-
It should not be in any of the ways I've tried.
We do this, if I wanted to make an address on the LAN should be on a single gateway, that rule should apply, make me an example.
Thanks. -
If you wanted to just have a single LAN address use one WAN then your rule should be:
Proto Source Port Destination Port Gateway Queue * yourIP * * * WAN1 noneSteve
-
my experience in virgilio.it that is not properly loaded or redirected is when i used squid with filtering…but i guess your not using squid and do some filtering right?
-
Thank you for your reply.
That rule works fine.
I do not think there is a solution to the problem in question, at least I have done many tests but have not solved, if the other ideas to try, I'd be happy to try.
Thanks again. -
If you enable logging on that rule and then login to your webmail then you can check the logs to see exactly what connections are required. Then you can make a rule to fit that information.
Remember to turn off logging on the rule afterwards or you will quickly fill the logs.Steve
-
my experience in virgilio.it that is not properly loaded or redirected is when i used squid with filtering…but i guess your not using squid and do some filtering right?
I do not understand, do not use Squid.
-
It that from a packet capture?
You should probably remove it since it lists your own IP.I had intended you to use the firewall log.
Anyway I can see your address performing a DNS lookup on three separate URLs.
www.virgilio.it, i.plug.it and secure-it.imrworldwide.com.imrworldwide appears to be a vendor of tracking software so probably not needed.
This is not a complete log of your sign in so I can't tell you what rule you might use.You need to turn on logging on your firewall LAN rule. Then log into your mail. Then look at the firewall logs.
Steve
-
Thanks, I removed the previous post, if I understand it was not necessary to enter.
I can not understand how to make the registration of firewall log.
Would you give me a hint on how to do things I have not yet understood well
Thanks. -
Ok.
Go to Firewall>>Rules>>Lan edit your rule for webmail access from your IP. (click the 'e')
You need to enable logging on that rule.
Now 'save' and 'apply settings'. You rules should look something like this:
Note: The blue 'i' shows that logging is enabled. Your IP address will be different.
Now everything that uses that rule will be logged in the firewall log: status>>system logs>>firewall.
So log into your webmail and then check the log to see what connections were made.
Disable logging again afterwards.
Steve
-
Thanks for the advice.
This is the place to be when I put user name and password and open the folder "inbox".May 25 19:11:02 LAN 172.25.14.6:53793 212.48.8.171:443 TCP:S
pass
May 25 19:11:02 LAN 172.25.14.6:53794 212.48.8.171:80 TCP:S
pass
May 25 19:11:02 LAN 172.25.14.6:53795 212.48.8.171:80 TCP:S
pass
May 25 19:11:02 LAN 172.25.14.6:53796 62.211.72.133:80 TCP:S
pass
May 25 19:11:03 LAN 172.25.14.6:53797 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53798 212.239.41.101:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53799 66.235.156.132:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53800 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53801 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53802 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53803 212.48.11.161:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53804 212.48.11.161:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53805 62.211.72.133:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53806 212.48.1.154:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53807 212.48.1.154:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53808 80.252.91.41:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53809 80.252.91.41:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53810 212.48.1.156:80 TCP:S
pass
May 25 19:11:21 LAN 172.25.14.6:53816 195.128.234.84:80 TCP:S
pass
May 25 19:12:01 LAN 172.25.14.6:53835 209.85.229.100:80 TCP:S
pass
May 25 19:12:21 LAN 172.25.14.6:53842 195.128.234.84:80 TCP:S
pass
May 25 19:12:40 LAN 172.25.14.6:53856 62.211.72.133:80 TCP:S
pass
May 25 19:13:11 LAN 172.25.14.6:53862 62.211.72.133:80 TCP:S
pass
May 25 19:13:21 LAN 172.25.14.6:53867 195.128.234.84:80 TCP:S
pass
May 25 19:13:42 LAN 172.25.14.6:53885 62.211.72.133:80 TCP:S
pass
May 25 19:14:13 LAN 172.25.14.6:53895 62.211.72.133:80 TCP:S
pass
May 25 19:14:21 LAN 172.25.14.6:53897 195.128.234.84:80 TCP:S
pass
May 25 19:14:44 LAN 172.25.14.6:53912 62.211.72.133:80 TCP:S
pass
May 25 19:15:05 LAN 172.25.14.6:53916 62.211.72.133:80 TCP:S
pass
May 25 19:15:06 LAN 172.25.14.6:53917 62.211.72.133:80 TCP:S
pass
May 25 19:15:08 LAN 172.25.14.6:53918 62.211.72.133:80 TCP:S
pass
May 25 19:15:08 LAN 172.25.14.6:53920 212.239.41.101:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53921 66.235.156.132:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53922 212.48.1.154:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53923 212.48.1.154:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53924 80.252.91.41:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53925 80.252.91.41:80 TCP:S
pass
May 25 19:15:10 LAN 172.25.14.6:53926 212.48.1.156:80 TCP:S
pass
May 25 19:15:21 LAN 172.25.14.6:53931 195.128.234.84:80 TCP:S
