Remove specific website from LB



  • Hello,

    As I mentioned in another thread, I have now a HUGE problem with a specific website accessed from my 3 WAN PFSense appliance. I have a 2 WAN gateway group with both WANs as Tier 1  and an HTTPS failover group with both WANs with different tiers (1, 2).

    I have also checked sticky connections.

    I have not problem with bank sites or Apple's GSX or other HTTP(S) websites, ONLY WITH ONE, which is one big supplier that my managers are visiting a lot, which is not working and drops us out all the time. They claim that our WAN IP is changing constantly.

    I have also created an alias and 2 firewall rules to drive the connection to this site to get out only from my main WAN, not the Group (please check images).

    However, nothing works. We get dropped out.

    Can you please elaborate? I have a HUGE problem with this thing, because the Sales managers are trying to order, and they get frustrated.

    How can I check in logs that the firewall rule matches?

    Best regards

    Kostas
    ![Screen Shot 2012-09-07 at 19.32.28 ?.?..png](/public/imported_attachments/1/Screen Shot 2012-09-07 at 19.32.28 ?.?..png)
    ![Screen Shot 2012-09-07 at 19.32.28 ?.?..png_thumb](/public/imported_attachments/1/Screen Shot 2012-09-07 at 19.32.28 ?.?..png_thumb)
    ![Screen Shot 2012-09-07 at 19.39.28 ?.?..png](/public/imported_attachments/1/Screen Shot 2012-09-07 at 19.39.28 ?.?..png)
    ![Screen Shot 2012-09-07 at 19.39.28 ?.?..png_thumb](/public/imported_attachments/1/Screen Shot 2012-09-07 at 19.39.28 ?.?..png_thumb)



  • Does it work any better if you change ip-address instead of dns name to that alias?



  • Thank you. I tried it, no luck. The same.

    Best regards

    Kostas



  • Since this portal is using both HTTP and HTTPS, maybe this cannot be done?

    Maybe is it better to "route" this client to the Internet using only one Gateway or only the HTTPS failover group (which has the WANs with different tiers).

    How do I identify the client in order to accomplish this?

    Best regards

    Kostas



  • Hi,

    I would try this:
    1.) Route all (TCP/UDP) traffic for one source IP address to one gateway. (firewall rule)
    2.) Start a packet capture and enable logging for this firewall rule.
    3.) This host should then connect to this webpage
    4.) check all the destination IPs and put these IPs into an alias
    5.) check all the destination ports/protocols and put these ports into another alias

    Then create a firewall rule which routes all traffic with this destination aliases through yout failover gatewayGroup.

    The problem could be that the webpage redirects traffic to another URL and is switching between http and https. You must find a way to get this all into one rule.



  • Thank you.

    Yes, the host is changing, you start with https when logging and then turns to http for browsing the products.
    2 questions:
    1. Where do I start the tcpdump? In Pfsense's terminal?
    2. Where in the logs is the fw rule specific log? I have enabled it in the rule, but in the logs I see only the traffic from LAN to the website address, whiteout indication that the rule is triggered.

    Thank you for the help so far.

    Best regards

    Kostas



  • @costasppc:

    Thank you.

    Yes, the host is changing, you start with https when logging and then turns to http for browsing the products.
    2 questions:
    1. Where do I start the tcpdump? In Pfsense's terminal?

    Yes, in pfsense there is a capture option. You can find it in "DIAGNOSTICS -> packet capture". Set the source IP of the host which tries to connect to the website and set the level of detail to "full". After you finished you can download this capture as .cap file and analyze it in wireshark or "Netwitness Investigator" (this tool has a powerful GUI)

    @costasppc:

    2. Where in the logs is the fw rule specific log? I have enabled it in the rule, but in the logs I see only the traffic from LAN to the website address, whiteout indication that the rule is triggered.

    When you create the firewall rule for the client then scroll down and you can find "Log this rule" or something like that. Then all traffic which is affected by this rule will be shown ion the system log. If you log other traffic you will see this traffic, too, so probably best disable all other logging temporarily so you only see the traffic you like/need.



  • Thank you, it worked (since I found that this web portal is redirecting to another subdomain). I added the second IP to the aliases and since now I have no complaints.

    However…

    I never got to create the packet capture. I used LAN and my computer as host, and browsed the web portal in question, and NetWitness shows me only my host and source and pfsense as destination.

    What am I doing wrong?

    Best

    Kostas



  • @costasppc
    When you create the Alias or enter the domain in the firewall you have to take care that mydomain.com will not cover subdomain.mydomain.com
    So you have to enter all domains and subdomains to the alias. But You got it working :-)

    Packet Capture:
    Are you using squid? So this could be the prpblem because all the traffic for http is redirected to squid and then pfsense/squid is doing the connection to the destination webserver and not your host.
    And this could also be a reason - not alsways LoadBalancing is the problem but squid is the problem. The website recognizes squid and this will cause sometimes problems.



  • @Nachtfalke:

    @costasppc
    When you create the Alias or enter the domain in the firewall you have to take care that mydomain.com will not cover subdomain.mydomain.com
    So you have to enter all domains and subdomains to the alias. But You got it working :-)

    Yes! Because I used the IPs… ;-)

    @Nachtfalke:

    Packet Capture:
    Are you using squid? So this could be the prpblem because all the traffic for http is redirected to squid and then pfsense/squid is doing the connection to the destination webserver and not your host.
    And this could also be a reason - not alsways LoadBalancing is the problem but squid is the problem. The website recognizes squid and this will cause sometimes problems.

    No I do not use Squid.

    Best

    Kostas


Log in to reply