Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LoadBalancing - Problems accessing secure web sites

    Routing and Multi WAN
    4
    5
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scarpy
      last edited by

      I notice problems accessing secure webpages, VOIP connections, and VPN connections
      when load balancing is in place.. Other than PFSense is GREAT!!.
      What can I do to fix this? Anybody had any experience with this?

      I'll explain better:

      When i try to access secure web pages (Yahoo MAIL, for example) i get a "connection expired" and i have to log in again.
      I believe this happens because not ALL "secure packets" are sent out through the same WAN !
      I mean: when i click "Login" button in Yahoo Mail Home Page,
      pfSense use WAN1 and, later, when i browse, i.e, my Inbox, it sends packets through WAN2.
      This can be worked-around with a rule sending all HTTPS traffic to only one WAN instead of load-balance pool,
      but i believe it would be solved with some Connection Tracking mechanism !!

      I tried changing the "State Type" and "State Timeout" params in the FW rules,
      but didn't work at all!!

      Thanks for any help or reply,
      Alex
      a-scarpanti@tiscali.it

      scarpy is:
      CCNA Cisco Certified Network Administrator
      CNAI Cisco Network Academy Instructor
      MCSE Microsoft Certified System Engineer

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Probably the easiest fix is to not load balance HTTPS connections.

        1 Reply Last reply Reply Quote 0
        • B
          billm
          last edited by

          Not much we can do when web sites have poor coding practices and require source IP to match between TCP flows.  Guess they don't get many visitors from AOL (or they exclude AOL from that pain).

          –Bill

          pfSense core developer
          blog - http://www.ucsecurity.com/
          twitter - billmarquette

          1 Reply Last reply Reply Quote 0
          • C
            corvus
            last edited by

            In the rare occasion that I run in to something like this on a site I use alot, I generally just hardcode the IP to a specific gateway (instead of the pool) using Firewall rules.

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              Better yet, create an alias called cannot_balance or something similar and create a rule to force the traffic out a specific gateway.  Whenever you encounter a site that doesn't work very well simply add it to the alias.  Easier than adding rules for every edge case.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.