Load Balancing faulty for second LAN



  • I've got two internal networks that my firewall recognizes as LAN (built in) and Public. I've got two load balanced WANs, and they work great for the LAN connection. However, anyone using the Public connection gets a lot of timeouts. Often you'll go to a website, and it won't load the page. Hit refesh, and it comes up. When you try and ping various websites, occasionally the ping won't resolve an IP… other times it will.

    I've set the various rules for my Public network to use specific gateways, and this works just fine. I'll keep doing it for now, but I wonder if there's some background issue that might enable the built-in LAN to use the load balancer better than any other networks. I've configured all the outgoing NAT rules and everything the same as LAN... I obviously have because both connections work individually, but not when balancing.



  • What snapshot do you use?



  • So its a DNS issue not connectivity from Public? What DNS server do your Public clients use? If the DNS server for Public clients is the firewall then  you have to have static routes setup for the DNS servers from the 2 ISPs.



  • @techatdd:

    What snapshot do you use?

    1.2 Beta 1 (no snapshots)

    @sai:

    So its a DNS issue not connectivity from Public? What DNS server do your Public clients use? If the DNS server for Public clients is the firewall then  you have to have static routes setup for the DNS servers from the 2 ISPs.

    Well… I don't think it is a DNS issue. On the rule allowing DNS traffic out from Public, if I set the gateway to either WAN or WAN2, it works fine. It's only when I set the rule to Load Balance that DNS becomes spotty. As I said, when using Load Balance EVERYTHING becomes spotty, http requests, dns etc.

    But... my public clients ARE using the firewall for DNS, and I've not created any static routes as per the note on the static route page:

    Note: Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway.



  • its a DNS issue if
    #ping 66.94.143.13
    works but
    #ping yahoo.com
    does not work.

    Probably the note about static routes does not apply to your DNS case. I would add static routes for the 2 DNS servers and see if that helps



  • I understand that. :)

    When I set DNS traffic to WAN, and ping yahoo.com, everything is fine.
    When I set DNS traffic to WAN2, and ping yahoo.com, everything is fine.

    When I set DNS traffic to Load Balance, and ping yahoo.com, sometimes it resolves to an IP, and sometimes it doesn't.



  • do the static route thing, matey.



  • it sounds like the router is using the dns for 1 isp over the other isp's link

    the query to dns1.isp1.com goes from WAN1 it works
    but when…
    the query to dns1.isp1.com goes to WAN2 and ISP2 it does not work.

    ISP's frequently block dns query's from other providers networks.

    I'd try the stadic route as sai suggested.



  • Been working on some other stuff.
    OK, so static routes. Check my logic.

    Interface: (the interface I want this static route to apply to, in this case, Public)
    Destination network: (IP address of dns server on WAN x) / 32
    Gateway: IP of WAN x

    Is that right?



  • interface

    Interface: wan
    Destination network: ipadress of dns server isp1 ) / 32
    Gateway: IP of WAN

    Interface: wan2
    Destination network: (IP address of dns server isp2) / 32
    Gateway: IP of WAN2

    dns1.isp1.com



  • @tacfit:

    Been working on some other stuff.
    OK, so static routes. Check my logic.

    Interface: (the interface I want this static route to apply to, in this case, Public)
    Destination network: (IP address of dns server on WAN x) / 32
    Gateway: IP of WAN x

    Is that right?

    yes, that looks good. you will want to make similar routes for all your LAN (ie non-ISP) interfaces and all your DNS servers.



  • Could someone confirm what the interface should be? I don't know if I should set the interface to Public, because I want the static route to apply to the Public interface… or should I set it to WAN (or WAN2) to match the gateway that I'm setting on each rule.



  • I think I answered this myself, it only made a difference when I set the interface to Public, which is what I figured. And then, I had to set the rule allowing DNS traffic to use "default" rather than anything else.

    Thanks, this helped out loads!


Log in to reply