Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sticky connections

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      frater
      last edited by

      I started to use pfsense in a multi-LAN / multi-WAN environment a year ago and quite quickly I stumbled on typical multi-WAN problems.
      Some webservers don't like it when all of a sudden the traffic comes from another connection.

      Pfsense has an option called "sticky connections".
      I found out the hard way that this option isn't as advanced as I expected it to be. The explanation in the webIF doesn't help really as it's somehow ambiguous.

      The explanation is talking about a source/destination relationship. The "destination" they mean in this sentence is not the real destination (the foreign server), but the WAN-connection within the tier of your loadbalancing gateway.

      This means there's no loadbalancing for that host as long as a connection exists.
      I'm using pfsense on a remote location where I need to bundle 4 slow ADSL-connection to achieve enought bandwidth to service 35 LANs
      When a source host doesn't loadbalance anymore this means a big loss of bandwidht for this host.

      Is there a possibility to implement "sticky connections" that works with source/destination relationships (with destination I mean a foreign server)?
      If this is not possible it would be nice if this "stickyness" could be implemented only on certain destination ports (not a global setting).

      1 Reply Last reply Reply Quote 0
      • N Offline
        Nachtfalke
        last edited by

        This can be done by youself.

        In general you have a firewall rule <on you="" lan="" interface="" with="" any="" destination="" and="" port="" as="" gateway="" the="" loadbalancing="" group.="" (call="" it="" loadbalance)<br="">Create one or two other LoadBalancing group with different Tiers.
        NoLoadBalance1 with:
        ADSL1 = Tier 1
        ADSL2 = Tier 2
        ADSL3 = Tier 3
        ADSL4 = Tier 4

        and the second group
        NoLoadBalance1 with:
        ADSL1 = Tier 4
        ADSL2 = Tier 3
        ADSL3 = Tier 2
        ADSL4 = Tier 1

        So now it is your task to find out which destination IPs or which destination Ports do not like LoadBalancing.
        Then put these ports and IPs into a separate alias - call it "NoLoadBalancePorts" or "NoLoadBalanceIPs"

        The create two other firewall rules on LAN on top of your "LoadBalance1" firewall rule.

        The one has as destination IPs the "NoLoadBalanceIPs" alias and as Gateway the "NoLoadBalance1" group.
        The second has as destination Portss the "NoLoadBalancePorts" alias and as Gateway the "NoLoadBalance2" group.

        So you have automatically failover for all three firewall rules and you can easily redirect different ports and/or destination IPs. The only things you now have to maintain are the two aliases containing the ports and the destination IPs.</on>

        1 Reply Last reply Reply Quote 0
        • F Offline
          frater
          last edited by

          Thanks Nachtfalke, but I already implemented that solution.
          I really would like to have more especially because I'm not getting enough feedback from the users on these LANs

          1 Reply Last reply Reply Quote 0
          • N Offline
            Nachtfalke
            last edited by

            Hmm…if something isn't working and the users need this, then my phone will ring all the time.
            The other way the users will never call me and tell me "hey, all if working" ;)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.