• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

LoadBalancing - Problems accessing secure web sites

Scheduled Pinned Locked Moved Routing and Multi WAN
5 Posts 4 Posters 3.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    scarpy
    last edited by May 24, 2006, 11:39 AM

    I notice problems accessing secure webpages, VOIP connections, and VPN connections
    when load balancing is in place.. Other than PFSense is GREAT!!.
    What can I do to fix this? Anybody had any experience with this?

    I'll explain better:

    When i try to access secure web pages (Yahoo MAIL, for example) i get a "connection expired" and i have to log in again.
    I believe this happens because not ALL "secure packets" are sent out through the same WAN !
    I mean: when i click "Login" button in Yahoo Mail Home Page,
    pfSense use WAN1 and, later, when i browse, i.e, my Inbox, it sends packets through WAN2.
    This can be worked-around with a rule sending all HTTPS traffic to only one WAN instead of load-balance pool,
    but i believe it would be solved with some Connection Tracking mechanism !!

    I tried changing the "State Type" and "State Timeout" params in the FW rules,
    but didn't work at all!!

    Thanks for any help or reply,
    Alex
    a-scarpanti@tiscali.it

    scarpy is:
    CCNA Cisco Certified Network Administrator
    CNAI Cisco Network Academy Instructor
    MCSE Microsoft Certified System Engineer

    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by May 25, 2006, 8:49 PM

      Probably the easiest fix is to not load balance HTTPS connections.

      1 Reply Last reply Reply Quote 0
      • B
        billm
        last edited by May 28, 2006, 1:41 PM

        Not much we can do when web sites have poor coding practices and require source IP to match between TCP flows.  Guess they don't get many visitors from AOL (or they exclude AOL from that pain).

        –Bill

        pfSense core developer
        blog - http://www.ucsecurity.com/
        twitter - billmarquette

        1 Reply Last reply Reply Quote 0
        • C
          corvus
          last edited by May 29, 2006, 4:25 PM

          In the rare occasion that I run in to something like this on a site I use alot, I generally just hardcode the IP to a specific gateway (instead of the pool) using Firewall rules.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by May 29, 2006, 4:38 PM

            Better yet, create an alias called cannot_balance or something similar and create a rule to force the traffic out a specific gateway.  Whenever you encounter a site that doesn't work very well simply add it to the alias.  Easier than adding rules for every edge case.

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received