Sticky outbound?



  • Hi all-

    I just installed RC2 last week (my first pfSense box).  We switched from Ipcop to get dual wan failover and lb features.

    We have an ADSL line and a cable modem, and I have the dual wan with lb and failover working now.

    We are running into a problem with some websites (all ssl sites afaik) in which we get logged out because the ip address their server sees changes after a little while of browsing.

    I tried the 'touch /var/etc/use_pf_pool__stickyaddr' trick and rebooted, but I guess thats only for inbound.

    Without setting static routes/rules, how can I get it so traffic to the same site (ip+port) goes out the same interface for a while (30 mins would do)?  Of course I still want it to failover asap if the selected link goes down (thus my hesitance to use static routes).

    I've tried searching for combinations of 'sticky' and 'sessions' on google and in the forum but haven't found the answer.

    Thanks!







  • @sullrich:

    Not at this time.

    http://faq.pfsense.org/index.php?action=artikel&cat=1&id=174&artlang=en

    Any decent workarounds?

    If not, how do I describe this feature for the devs and how much would be fair for a bounty on it?



  • @Russ:

    Any decent workarounds?

    No.

    @Russ:

    If not, how do I describe this feature for the devs and how much would be fair for a bounty on it?

    No matter if a bounty was posted, this will not make it into 1.0.



  • @sullrich:

    @Russ:

    If not, how do I describe this feature for the devs and how much would be fair for a bounty on it?

    No matter if a bounty was posted, this will not make it into 1.0.

    Fine, but that's not what I asked.  The question remains unanswered.



  • I honestly don't know how much is a good thing.  I guess it is up to you.



  • @Russ:

    @sullrich:

    @Russ:

    If not, how do I describe this feature for the devs and how much would be fair for a bounty on it?

    No matter if a bounty was posted, this will not make it into 1.0.

    Fine, but that's not what I asked.  The question remains unanswered.

    It's really up to how much it's worth to you.  Name a price, maybe someone will work on it maybe someone with current knowledge of the codebase, maybe someone who wishes to learn and make a few bucks learning.  It's doable in pf, the hardest part will be to wrap a UI around it - the pf.conf code is pretty simple.

    –Bill



  • Is the only work around to use policy based routing for https , so that that https traffic only goes out one WAN port?

    sai



  • I have added 2 types of aliases for this at my dualwansetup. One portsalias and one hostsalias where I can add portnumbers or IP-Adresses that don't work well with loadbalancing. If I detect another external IP that doesn't work well with it I just add it to the hostslaias. https is added to the portsalias. Both aliases are referenced by a firewallrule as destination to go out to my faster WAN.


Locked