Sticky connections not working with dual WAN

netblues

@Daskew78 NO, it won't work on web banking sites

TheCableGuy96

Sorry I was replying too fast and missed your update about setting the states to 2500.

I have set it to 2500 and set each gateway to Tier 1 but I can't see where I set a weight of 2? Where is the weight setting?

Rico

System > Routing > Edit Gateway > Display Advanced > Weight

-Rico

TheCableGuy96

ahhh thank you.... i'm testing now... will update shortly :)

netblues

Remember to clear states and source tracking.

TheCableGuy96

Yeah I cleared both, closed all browsers and tried again on 2 personal servers with single IPs and banking but it's still happening.

I must admit it doesn't seem to be happening as much but it is still happening.

netblues

I also see that you have default gateway on a load balancing group.
Try to put default gateway to a failover group, (or just one of the lines).

It is not recommended to do that.

Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)
So as to make sure https traffic is not mixed with anything else and retest.

TheCableGuy96

Okay i'll have to get back to you tomorrow as I have to go out now.

Thanks buddy :)

TheCableGuy96

@netblues Sorry for the delay I was busy yesterday...

I just want to check we are on the same page here:
"I also see that you have default gateway on a load balancing group. Try to put default gateway to a failover group, (or just one of the lines)."

Are you referring to the firewall rules defining the gateway for each vLAN or the section in "System > Routing > Default Gateway"?

Also, I'm sorry but I don't understand what you mean when you say:
"Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)"

Please could you elaborate a little more what you are suggesting?

Many thanks pal :)

netblues

@Daskew78 said in Sticky connections not working with dual WAN:

@netblues Sorry for the delay I was busy yesterday...

I just want to check we are on the same page here:
"I also see that you have default gateway on a load balancing group. Try to put default gateway to a failover group, (or just one of the lines)."

Are you referring to the firewall rules defining the gateway for each vLAN or the section in "System > Routing > Default Gateway"?

Yes..

Also, I'm sorry but I don't understand what you mean when you say:
"Also, for debug purposes, make a policy routing just for https and put it ahead of general load balancing rule, and redirect traffic to another load balancer (with the same members)"

Please could you elaborate a little more what you are suggesting?

see here

Many thanks pal :)

ssl failover load balances first and failovers if both lines are not availabie

so we just make sure https traffic is handled by policy rule.
You can also log packets if needed.

TheCableGuy96

@netblues Okay "System > Routing > Gateways > Default gateway IPv4" is now set to WAN1 rather than a LoadBalancing profile.

I think I understand you with the rule but I need to set up the gateway group to assign it to before I can and this is where I'm still a little hazy.

Am I selecting one of the gateways in here or both? and what "Tier" and "Trigger Level" please? This is what I have currently but not sure if it's what you are suggesting?

screenshot-pfsense.daveaskew.com_10445-2020.06.10-11_56_40.png

Thanks.

netblues

@Daskew78 call it ssL_loadbalance so as not to be confused.
put both lines as tier1
and make trigger level member down, to be on the safe side, while testing.

And do check you have weights set to 2 in routing gateways for both wan1_pppoe and wan2_dhcp

TheCableGuy96

@netblues

Can you just confirm these settings are all correct what you are suggesting, please?

TheCableGuy96

Forgot to mention I also have the weights set to "2" for each WAN.

netblues

Looks ok and I also see traffic matching the ssl rules...
Also confirm that stickiness is at 2500 (or any other non zero value. - 2500 seems reasonable for any banking site..)

Try accessing some banks/ssl sites.. what happens?

TheCableGuy96

@netblues Still happening, unfortunately. I was logged out of my bank so I tried my own server. It was looking pretty stable but I did get logged out. When I checked the logs it shows 2 connections from different IPs within a couple of minutes:

2020:06:10-12:36:55: '217.45.xxx.xxx' successful login to 'user' via 'admin' after 1 attempts
2020:06:10-12:37:24: '5.70.xxx.xxx' successful login to 'user' after 1 attempts

Also sticky connections are confirmed at 2500.

It's just a bug, I guess I'll have to wait until they resolve it. I can work around it for now with static routes/firewall rules.

netblues

@Daskew78 I guess your server is also https.
The thing is that this works nicely here.

If you could create a guest account I could try connecting over the load balancer if you wish.

TheCableGuy96

Yeah, it's also https, but I've honestly had enough now. It's a simple enough workaround so I've done that and am moving on. Hopefully, they will fix it sometime.

Thank you for all your help, It's been greatly appreciated.

curcanus

Hello,
I read all the posts with interest in hope that I'll solve the same problem that I have.
Unfortunately the end is clear: -Problem solved! It dosen't work. :)

netblues

@curcanus Sorry to hear that.
Keep in mind that load balancing is a hack, and corner cases are very difficult to debug. Having said that, no one can assure you that there is no bug somewhere.
What I can say is that it works great for many, and when it doesn't post pile up.
If you still need some insight to the situation at hand, please fill in the details.