Sticky connections

  • I started to use pfsense in a multi-LAN / multi-WAN environment a year ago and quite quickly I stumbled on typical multi-WAN problems.
    Some webservers don't like it when all of a sudden the traffic comes from another connection.

    Pfsense has an option called "sticky connections".
    I found out the hard way that this option isn't as advanced as I expected it to be. The explanation in the webIF doesn't help really as it's somehow ambiguous.

    The explanation is talking about a source/destination relationship. The "destination" they mean in this sentence is not the real destination (the foreign server), but the WAN-connection within the tier of your loadbalancing gateway.

    This means there's no loadbalancing for that host as long as a connection exists.
    I'm using pfsense on a remote location where I need to bundle 4 slow ADSL-connection to achieve enought bandwidth to service 35 LANs
    When a source host doesn't loadbalance anymore this means a big loss of bandwidht for this host.

    Is there a possibility to implement "sticky connections" that works with source/destination relationships (with destination I mean a foreign server)?
    If this is not possible it would be nice if this "stickyness" could be implemented only on certain destination ports (not a global setting).

  • This can be done by youself.

    In general you have a firewall rule <on you="" lan="" interface="" with="" any="" destination="" and="" port="" as="" gateway="" the="" loadbalancing="" group.="" (call="" it="" loadbalance)<br="">Create one or two other LoadBalancing group with different Tiers.
    NoLoadBalance1 with:
    ADSL1 = Tier 1
    ADSL2 = Tier 2
    ADSL3 = Tier 3
    ADSL4 = Tier 4

    and the second group
    NoLoadBalance1 with:
    ADSL1 = Tier 4
    ADSL2 = Tier 3
    ADSL3 = Tier 2
    ADSL4 = Tier 1

    So now it is your task to find out which destination IPs or which destination Ports do not like LoadBalancing.
    Then put these ports and IPs into a separate alias - call it "NoLoadBalancePorts" or "NoLoadBalanceIPs"

    The create two other firewall rules on LAN on top of your "LoadBalance1" firewall rule.

    The one has as destination IPs the "NoLoadBalanceIPs" alias and as Gateway the "NoLoadBalance1" group.
    The second has as destination Portss the "NoLoadBalancePorts" alias and as Gateway the "NoLoadBalance2" group.

    So you have automatically failover for all three firewall rules and you can easily redirect different ports and/or destination IPs. The only things you now have to maintain are the two aliases containing the ports and the destination IPs.</on>

  • Thanks Nachtfalke, but I already implemented that solution.
    I really would like to have more especially because I'm not getting enough feedback from the users on these LANs

  • Hmm…if something isn't working and the users need this, then my phone will ring all the time.
    The other way the users will never call me and tell me "hey, all if working" ;)

Log in to reply