LoadBalancing - Problems accessing secure web sites



  • I notice problems accessing secure webpages, VOIP connections, and VPN connections
    when load balancing is in place.. Other than PFSense is GREAT!!.
    What can I do to fix this? Anybody had any experience with this?

    I'll explain better:

    When i try to access secure web pages (Yahoo MAIL, for example) i get a "connection expired" and i have to log in again.
    I believe this happens because not ALL "secure packets" are sent out through the same WAN !
    I mean: when i click "Login" button in Yahoo Mail Home Page,
    pfSense use WAN1 and, later, when i browse, i.e, my Inbox, it sends packets through WAN2.
    This can be worked-around with a rule sending all HTTPS traffic to only one WAN instead of load-balance pool,
    but i believe it would be solved with some Connection Tracking mechanism !!

    I tried changing the "State Type" and "State Timeout" params in the FW rules,
    but didn't work at all!!

    Thanks for any help or reply,
    Alex
    a-scarpanti@tiscali.it



  • Probably the easiest fix is to not load balance HTTPS connections.



  • Not much we can do when web sites have poor coding practices and require source IP to match between TCP flows.  Guess they don't get many visitors from AOL (or they exclude AOL from that pain).

    –Bill



  • In the rare occasion that I run in to something like this on a site I use alot, I generally just hardcode the IP to a specific gateway (instead of the pool) using Firewall rules.



  • Better yet, create an alias called cannot_balance or something similar and create a rule to force the traffic out a specific gateway.  Whenever you encounter a site that doesn't work very well simply add it to the alias.  Easier than adding rules for every edge case.


Log in to reply