• Hi

    I am using a 2.0 Beta with 2 WANs both are DSL’s configured in PPoE format. The 2 WANs are configured in a load balancing group and set in the firewall rules. As other people have posted before, there is a problem with some websites that I login to that every time I click on a link or a couple links on the website that I am logged into it takes me back to the login page. So I can never be logged into a website long enough to do what I need to do there.

    Of course this only happens on some websites, I suppose it depends on the login method that the website uses.

    In the forum I have read that I need to enable sticky connections to fix this but I do not believe sticky connections is working. I have tried multiple snap shots and it still does not work.

    In the meantime until the sticky connections functionality is confirmed working, I am trying to come up with a new way that I can setup the 2 WANs.

    One thing I am considering is to try a plain failover strategy. I have a question about this; If my users are using WAN 1 to its full capacity will PFSense send other users through WAN 2 automatically…. Is this how fail over works or is it only if WAN1 completely down for anyone…. Then and only then it switches to WAN 2.

    The reason for this is because I have a bunch of users trying to use our internet connection and 1 DSL is not enough for everyone.


  • There are Protocols which do not work properly with Load Balancing for example 22 (SSH) or 443 (SSL) an some others.

    I created a secondary group with WAN1 as Tier1 and WAN2 as Tier5. Then I created an Alias with all ports which do NOT use Load Balancing. Then I added a firewall rule in which all destination ports I added to my alias use the secondary group.

    If both WANs are up, all these ports go over WAN1, if WAN1 is down, it failover to WAN2. So I do not need Sticky Connections and have a working failover for no Load Balancing Ports.

    Und Point 9.3 you can find some "No Load Balancing Ports"

    Load Balancing in pfSense uses round robin. This means, one connection uses WAN1 and the next WAN2 and the next WAN1 and so on. Failover works, wenn one WAN goes down, alle connections go through the other WAN.

  • @Nachtfalke:

    There are Protocols which do not work properly with Load Balancing for example 22 (SSH)

    SSH is fine to load balance, each individual connection will always stay on the same WAN. For some other protocols, you don't want to load balance. HTTPS is the main one because it commonly uses multiple connections, HTTP is generally ok though you may want to exclude some specific sites. Generally web sites that do session tracking on an IP basis are HTTPS. I load balance all my HTTP traffic and exclude any site that doesn't play nicely with that. I only have one such HTTP site in that list.

  • @cmb

    How does this work, do you create an alias with the URL(s) you do not want to load balance ?
    Or is there an other trick or feature in pfSense ?


  • Alias with the IP, subnet, or hostname can be feasible with some sites.

  • Thanks for all your input.

    That fixed the problem, I made a fire wall rule forcing all ssl traffic to go through one of the DSLs rather than the load balancing group.  I had to add one HTTP website also. I am not sure the best way to do this, but what I did is did an nslookup on the domain and created a separate firewall to force it through 1 DSL.

    I did notice someone mentioning aliases, but when I went Aliases page to create a alias group, I only saw it to be able to take IP address or lists. It would be good if I could add a domain name incase the website changes its address.

    Again… thanks for the input, it is good now.  Now if squid would work properly with load balancing and transparency it would be golden.

  • You can put a dns name in the field too.