Loadbalancer

Nachtfalke

You are right. Not all site have prolems with loadbalancing.
If you have 2 WAN interfaces, and a /24 subnet on LAN interface, you could create to failover groups for https and then half the subnet to /25 ans then route the first half to failover group 1 and the other half to failover group 2.

I think this is much easier to administrate than to route individual IPs and add them even if a user "cries" because he could not load a page ;)

zetar

Thanks for answers.
We simplify things, I do not care if it does not load balancing or failover, I just have a rule that I do not create problems with the webmail and https.
Please explain to me how I can do.
I have 3 WAN and LAN subnet / 22
Thanks.

stephenw10

If you don't care about failover for HTTPS traffic then:

Create a new firewall rule on your LAN interface


Proto 	Source 	   Port Destination Port Gateway Queue
tcp	LAN Subnet *	* 	    443  WAN1    none

Instead of WAN1 use which ever of your WANs is fastest or most reliable.

Crucially make sure this rule is above the load balancing rule and below the anti lockout rule.

If that works ok for you you could change it to a failover setup later.

Steve

zetar

thank you for your cooperation.
made the rule you attach a screenshot, but need not be the same.
Thanks.

Rules.png_thumb

stephenw10

That looks correct. Is it working?

zetar

hello, the same can not be closed immediately, the session will attach screenshots. of the entire page, I do not use port 443.
Thanks.

login.png_thumb
![Session out.png](/public/imported_attachments/1/Session out.png)

![Session out.png_thumb](/public/imported_attachments/1/Session out.png_thumb)

stephenw10

Hmmm,
Seems strange not to be using https.
You could still try adding a rule to send all traffic with destination mail.virgilio.it to one gateway.
You cannot enter a URL though you have to enter it as a single host: 212.48.10.165.

Steve

zetar

It should not be in any of the ways I've tried.
We do this, if I wanted to make an address on the LAN should be on a single gateway, that rule should apply, make me an example.
Thanks.

stephenw10

If you wanted to just have a single LAN address use one WAN then your rule should be:


Proto 	Source 	   Port Destination Port Gateway Queue
*	yourIP     *	* 	    *    WAN1    none

Steve

aries

my experience in virgilio.it that is not properly loaded or redirected is when i used squid with filtering…but i guess your not using squid and do some filtering right?

zetar

Thank you for your reply.
That rule works fine.
I do not think there is a solution to the problem in question, at least I have done many tests but have not solved, if the other ideas to try, I'd be happy to try.
Thanks again.

stephenw10

If you enable logging on that rule and then login to your webmail then you can check the logs to see exactly what connections are required. Then you can make a rule to fit that information.
Remember to turn off logging on the rule afterwards or you will quickly fill the logs.

Steve

zetar

@aries:

my experience in virgilio.it that is not properly loaded or redirected is when i used squid with filtering…but i guess your not using squid and do some filtering right?

I do not understand, do not use Squid.

stephenw10

It that from a packet capture?
You should probably remove it since it lists your own IP.

I had intended you to use the firewall log.

Anyway I can see your address performing a DNS lookup on three separate URLs.
www.virgilio.it, i.plug.it and secure-it.imrworldwide.com.

imrworldwide appears to be a vendor of tracking software so probably not needed.
This is not a complete log of your sign in so I can't tell you what rule you might use.

You need to turn on logging on your firewall LAN rule. Then log into your mail. Then look at the firewall logs.

Steve

zetar

Thanks, I removed the previous post, if I understand it was not necessary to enter.
I can not understand how to make the registration of firewall log.
Would you give me a hint on how to do things I have not yet understood well
Thanks.

stephenw10

Ok.
Go to Firewall>>Rules>>Lan edit your rule for webmail access from your IP. (click the 'e')
You need to enable logging on that rule.

Now 'save' and 'apply settings'. You rules should look something like this:

Note: The blue 'i' shows that logging is enabled. Your IP address will be different.

Now everything that uses that rule will be logged in the firewall log: status>>system logs>>firewall.

So log into your webmail and then check the log to see what connections were made.

Disable logging again afterwards.

Steve

zetar

Thanks for the advice.
This is the place to be when I put user name and password and open the folder "inbox".

May 25 19:11:02 LAN 172.25.14.6:53793 212.48.8.171:443 TCP:S
pass
May 25 19:11:02 LAN 172.25.14.6:53794 212.48.8.171:80 TCP:S
pass
May 25 19:11:02 LAN 172.25.14.6:53795 212.48.8.171:80 TCP:S
pass
May 25 19:11:02 LAN 172.25.14.6:53796 62.211.72.133:80 TCP:S
pass
May 25 19:11:03 LAN 172.25.14.6:53797 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53798 212.239.41.101:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53799 66.235.156.132:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53800 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53801 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53802 62.211.72.133:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53803 212.48.11.161:80 TCP:S
pass
May 25 19:11:05 LAN 172.25.14.6:53804 212.48.11.161:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53805 62.211.72.133:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53806 212.48.1.154:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53807 212.48.1.154:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53808 80.252.91.41:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53809 80.252.91.41:80 TCP:S
pass
May 25 19:11:06 LAN 172.25.14.6:53810 212.48.1.156:80 TCP:S
pass
May 25 19:11:21 LAN 172.25.14.6:53816 195.128.234.84:80 TCP:S
pass
May 25 19:12:01 LAN 172.25.14.6:53835 209.85.229.100:80 TCP:S
pass
May 25 19:12:21 LAN 172.25.14.6:53842 195.128.234.84:80 TCP:S
pass
May 25 19:12:40 LAN 172.25.14.6:53856 62.211.72.133:80 TCP:S
pass
May 25 19:13:11 LAN 172.25.14.6:53862 62.211.72.133:80 TCP:S
pass
May 25 19:13:21 LAN 172.25.14.6:53867 195.128.234.84:80 TCP:S
pass
May 25 19:13:42 LAN 172.25.14.6:53885 62.211.72.133:80 TCP:S
pass
May 25 19:14:13 LAN 172.25.14.6:53895 62.211.72.133:80 TCP:S
pass
May 25 19:14:21 LAN 172.25.14.6:53897 195.128.234.84:80 TCP:S
pass
May 25 19:14:44 LAN 172.25.14.6:53912 62.211.72.133:80 TCP:S
pass
May 25 19:15:05 LAN 172.25.14.6:53916 62.211.72.133:80 TCP:S
pass
May 25 19:15:06 LAN 172.25.14.6:53917 62.211.72.133:80 TCP:S
pass
May 25 19:15:08 LAN 172.25.14.6:53918 62.211.72.133:80 TCP:S
pass
May 25 19:15:08 LAN 172.25.14.6:53920 212.239.41.101:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53921 66.235.156.132:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53922 212.48.1.154:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53923 212.48.1.154:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53924 80.252.91.41:80 TCP:S
pass
May 25 19:15:09 LAN 172.25.14.6:53925 80.252.91.41:80 TCP:S
pass
May 25 19:15:10 LAN 172.25.14.6:53926 212.48.1.156:80 TCP:S
pass
May 25 19:15:21 LAN 172.25.14.6:53931 195.128.234.84:80 TCP:S

stephenw10

Hmm, OK.
So it looks like:
212.48.8.171
62.211.72.133
At least are involved. But also 212.48.10.165 is mail.virgilio.it. so maybe we should include 212.48.0.0/16.

So change your lan rules to:

Try that.

Steve

zetar

You're a really great, now works without problems.
I replaced the single IP subnet with all the LAN and I think that works by any location.
Thanks, but thank you very much for your cooperation.
Known, but those of Virgil can not do like the others …
hei hei ..