Sticky connections not working with dual WAN
-
@Daskew78 You shouldnt really care about states being closed when you have a stickiness of 1200.
As documentation says, if you have stickiness 0, then load balancing path is re evaluated when connectios are closed. (and we could discuss if this means fin wait etc)
But stickiness of 1200 Means 1200 seconds AFTER connections is closed, if a new request comes from the same ip to the same host it will leave from the same gateway.I insist. stickiness works fine on multiwan ssl load balancing scenario.
And consider this workaround too
https://redmine.pfsense.org/issues/6025quoting
Also of note, when the weights differ, even though the gateways have a specific order with repetition in the rule, pf seems to still flip back and forth, though the general ratio of the weights is respected. For example with WAN1=3, WAN2=2:I had the same issues as you do until I made 2 the default weight on both load balancing connections.
Deeper issues are suspected, as redmine says.
Please consider testing the workaround. -
Yeah sure seems that issue is exactly what your seeing... I would do what @netblues says and that should fix up your issue I would hope.
-
-
Yup..
-
Well if that's the case it is a bug then. But at least there appears to be a workaround.
I'll test it now, cheers again :)
-
@Daskew78 nope
We suggest to put a weight of 2 on both gateways and load balance them as both tier 1.
with a stickiness of 2500 -
As you see yes there is a redmine on it ;)
Currently targeted at 2.5 - but its been pushed many times already.. So wouldn't expect... This thread could get added to that redmine I would think.. Might put a bit more weight on looking into it.
-
Sorry I spoke a little too soon.... should I also set the sticky connections back to "0"?
-
@Daskew78 NO, it won't work on web banking sites
-
Sorry I was replying too fast and missed your update about setting the states to 2500.
I have set it to 2500 and set each gateway to Tier 1 but I can't see where I set a weight of 2? Where is the weight setting?
-
System > Routing > Edit Gateway > Display Advanced > Weight
-Rico
-
ahhh thank you.... i'm testing now... will update shortly :)
-
Remember to clear states and source tracking.
-
Yeah I cleared both, closed all browsers and tried again on 2 personal servers with single IPs and banking but it's still happening.
I must admit it doesn't seem to be happening as much but it is still happening.
-
I also see that you have default gateway on a load balancing group.
Try to put default gateway to a failover group, (or just one of the lines).It is not recommended to do that.
Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)
So as to make sure https traffic is not mixed with anything else and retest. -
Okay i'll have to get back to you tomorrow as I have to go out now.
Thanks buddy :)
-
@netblues Sorry for the delay I was busy yesterday...
I just want to check we are on the same page here:
"I also see that you have default gateway on a load balancing group. Try to put default gateway to a failover group, (or just one of the lines)."Are you referring to the firewall rules defining the gateway for each vLAN or the section in "System > Routing > Default Gateway"?
Also, I'm sorry but I don't understand what you mean when you say:
"Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)"Please could you elaborate a little more what you are suggesting?
Many thanks pal :)
-
@Daskew78 said in Sticky connections not working with dual WAN:
@netblues Sorry for the delay I was busy yesterday...
I just want to check we are on the same page here:
"I also see that you have default gateway on a load balancing group. Try to put default gateway to a failover group, (or just one of the lines)."Are you referring to the firewall rules defining the gateway for each vLAN or the section in "System > Routing > Default Gateway"?
Yes..
Also, I'm sorry but I don't understand what you mean when you say:
"Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)"Please could you elaborate a little more what you are suggesting?
see here
Many thanks pal :)
ssl failover load balances first and failovers if both lines are not availabie
so we just make sure https traffic is handled by policy rule.
You can also log packets if needed. -
@netblues Okay "System > Routing > Gateways > Default gateway IPv4" is now set to WAN1 rather than a LoadBalancing profile.
I think I understand you with the rule but I need to set up the gateway group to assign it to before I can and this is where I'm still a little hazy.
Am I selecting one of the gateways in here or both? and what "Tier" and "Trigger Level" please? This is what I have currently but not sure if it's what you are suggesting?
Thanks.
-
@Daskew78 call it ssL_loadbalance so as not to be confused.
put both lines as tier1
and make trigger level member down, to be on the safe side, while testing.And do check you have weights set to 2 in routing gateways for both wan1_pppoe and wan2_dhcp