Dual WAN https issue



  • Hi, I have a dual WAN configuration (a balance gateway group, with 2 adsl both tier1), I use this group in the main firewall rule (very simplest default configuration).

    Al worked well, but now I have a little trouble with some https web sites (wrong authentications and some web page load issue), how can avoid this?

    It's possible route all https requests to a fixed gateway? How?

    Thanks in advance.



  • One possibility is to enable "Sticky connections" in SYSTEM -> ADVANCED

    The other possibility is to create a firewall rule on top of your LoadBalance firewall rules which has destination port "https" and as gateway WAN1 or WAN2.
    A little bit improvement would be to create a second Gateway-Group which has WAN1 as Tier1 and WAN2 as Tier2 and use this GW-Group for https traffic. This would help you of WAN1 is down that it automatically switches over to WAN2 for https traffic.

    In future you will probably find other pages and/or ports which do not like LoadBalancing. So best way would be to create an port alias and use this as "destination port" in firewall. This will allow you in future to put other ports in this alias and then it automatically affects the firewall rules.



  • Most always best to not load balance HTTPS, since it can also involve connections to multiple servers, for which sticky does nothing.



  • @Nachtfalke:

    One possibility is to enable "Sticky connections" in SYSTEM -> ADVANCED

    The other possibility is to create a firewall rule on top of your LoadBalance firewall rules which has destination port "https" and as gateway WAN1 or WAN2.
    A little bit improvement would be to create a second Gateway-Group which has WAN1 as Tier1 and WAN2 as Tier2 and use this GW-Group for https traffic. This would help you of WAN1 is down that it automatically switches over to WAN2 for https traffic.

    In future you will probably find other pages and/or ports which do not like LoadBalancing. So best way would be to create an port alias and use this as "destination port" in firewall. This will allow you in future to put other ports in this alias and then it automatically affects the firewall rules.

    I insert this rule (and sticky connection opt.) in my conf.

    Now in rules I have:

    
    Proto	Source	port	      dest	port	Gateway	Descr.
    TCP		LAN net	*		*		443		ADSL1	HTTPS traffic to ADSL1 	
     *		LAN net	*		*		*		BALANCE	Default allow LAN to any rule
    
    

    Do you think it's right?
    I'm not sure if it work as I expect…

    Thanks.

    UPDATE: antilockout rule above it all can cause a different behaviour?
    Just in case it's better to disable it?

    Thanks again



  • Anti-Lockout is ok - no need to change it.
    firewall rules look ok.
    no need to use sticky connects when solving all with firewall rules.

    So why don't you try to connect to https websites (facebook) and check if it is using GW1 ?


Locked