Load Balancing just doesn't work (but 1 WAN or the other is just fine)



  • Hello all,

    I've been messing around with Pfsense for some time now, and for the life of me I haven't been able to get Loadbalancing to work nicely.  I've followed MultiWAN 1.2 to the point, changing my setup to be exactly like it, but no go.  Attached is a image describing my setup and a copy of my config.

    The issue:
    Using loadbalancing, every once in awhile the internet will 'stop responding'.  Cannot ping the outside world past the two routers that manage each WAN connection.  I've followed MultiWAN 1.2 exactly; the only exception is that I did not add the two failover profiles in the LoadBalancer config.  It acts like a DNS issue, but I did set them correctly for each interface in the Load Balancer pool.  Status > Loadbalancer show that both interfaces are online.  If I reset the firewall state table, the issue fixes itself.  Sticky connections is enabled.

    This issue does not effect the services hosted individually on each WAN connection.  If I route my LAN traffic through one specific WAN connection, I don't have this issue either.  Check out the image and config file (http://www.freefileupload.net/file.php?file=files/180907/1190095387/config-pfsense.msnet.local-20070910172745.xml, as they will explain my setup better than I can :\

    On another note:  In my image I show that have a router between my WAN interfaces and their modems.  I would like to remove these from my setup if possible, as they bottleneck my bandwidth.  I was having this same issue with PPPoE for WAN1 and a dynamic IP for WAN2, but hoped that putting them in would fix the issue.

    Any suggestions or pointers to the right direction would be greatly appreciated, and I look forward to helping out the pfsense community once I get this figured out.



  • Hi,

    I have a similar problem, when I de activated the sticky connections, everything seems to work fine.  Can you confirm?

    Martin



  • I deactivated sticky connections, and it did not appear to change anything.  I did however, delete and re-add my load balancer pools, and that appeared to make it work, as I haven't had the issue described in my original post at all.  But then again, I might be getting lucky.



  • I could see there being a potential issue with sticky sessions and multi-wan.  I believe the sticky sessions was really intended for inbound load balancing, not outbound balancing.

    –Bill



  • I am having the same problem, turning the sticky sessions option on caused alot of connection drops. If sticky session is off the behaviour is normal.

    The problem now afcourse, is if there are no sticky sessions available alot of "authorization" is going to fail because the connections are balanced.

    Anyone found a solution for this problem?



  • My main loadbalancing app is usenet.  So i stopped using loadbalancer and setup static routes to each news server.  Life has been much less fustrating since then.  The loadbalancer in pfsense seems to need much more work.



  • Hi

    Even I had this problem. Then I spent alot of time with pfsense docs and I follow the docs well now its fine. I hope you will have to look at Firewall Rules. And check your routers are in different IP Nets always.

    However try to follow the sample till you get a working balancer and then customize it.

    http://doc.pfsense.org/index.php/MultiWanVersion1.2#Setting_up_Load_Balancing_pools
    http://devwiki.pfsense.org/OutgoingLoadBalancing
    http://devwiki.pfsense.org/IncomingLoadBalancing

    Manjula



  • @billm:

    I could see there being a potential issue with sticky sessions and multi-wan.  I believe the sticky sessions was really intended for inbound load balancing, not outbound balancing.

    –Bill

    i ve just tested it , thinking is a bug while using sticky connections , and load balancer function in output …

    rgrds



  • Well i don't recall if the GUI allows it set sticky connection option for NAT too.
    This should fix the problems.



  • Um just for clearness check the man page and you need to set for nat source-hash



  • Can you try the attached patch and report back if it fixes the issues?!

    Thank you.

    sticky_address_RELENG_1_2.diff.txt



  • Hi,
    I'm having the same problem when using stickies + loadbalancer. What does the patch do? I will try it too anyways.
    Thanks
    Rodolfo



  • While searching the net a bit I found this:

    http://lists.freebsd.org/pipermail/freebsd-pf/2008-January/003987.html

    which says:

    NOTE: I seriously doubt "sticky-address" will work on FreeBSD- it was broken
    for couple of years already and looks like noone cares to fix it (it work on
    OpenBSD of course). Without this option load balancing is a joke.

    Anyone knows how much of this is true?
    thanks again
    Rodolfo



  • It is not true.

    Just people misconfigure thing as usual.



  • @ns1000:

    I am having the same problem, turning the sticky sessions option on caused alot of connection drops. If sticky session is off the behaviour is normal.

    The problem now afcourse, is if there are no sticky sessions available alot of "authorization" is going to fail because the connections are balanced.

    Anyone found a solution for this problem?

    To get around authorization issues I added firewall rules from LAN to a specific WAN.

    For instance, I forwarded all HTTPS traffic to WAN1, so banking websites and just about everything else that starts with "https://" doesn't have auth issues.

    Another example would be AIM/ICQ.  Those two apps require HTTPS to authenticate username and password, then use TCP 5190 to do their thing.  I just forwarded 5190 to WAN1 with the existing HTTPS rule.

    I have kept sticky connections off as it breaks Source Dedicated Server (srcds).



  • @eri--:

    It is not true.

    Just people misconfigure thing as usual.

    But in this case things aren't configured automatically by pfsense? I tried the patch, but stickies didn't work as usual :( (it works for say…. 20 minutes then I can't make any connections to the internet). What does the path do?
    Thanks
    Rodolfo



  • It depends on the load you have. You might be reaching source hash limit.

    And the patch is a test and if you want it to be correct you should report back your findings.



  • Hi,
    I studied a bit the patch and it seems to add sticky-address to the nat rules. But since I am not using a nat pool, it shouldn't do any difference.
    How do I check is I reach limits? BTW I don't think this is the cause, because we have only 5 clients connecting to the interent. I tried setting up a quick'n dirty box with openbsd, and the stickies work flawlessly with 2 wans.
    Regards
    Rodolfo


Locked