<![CDATA[Inside load balancing sticky timeout - src.track]]>Is it possible to keep web sessions during 600 seconds to the same websever inside a web  farm (depending on the source IP) ?

The sticky feature runs as long as we have states , I tried to use a special rule with a 600 seconds state in the advanced option, in order to keep long sates, but the LB still balance inside connections after a few seconds.

I would be interested in a work around or an experimental patch ?

Regards,

YP

]]>https://forum.netgate.com/topic/6785/inside-load-balancing-sticky-timeout-src-trackRSS for NodeMon, 15 Jun 2026 11:17:57 GMTThu, 20 Dec 2007 16:54:02 GMT60<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Sat, 22 Dec 2007 09:11:09 GMT]]>It doesn't work as I would want.
I spent quiet a long time on pf docs and suppose this setting should keep the real server IP during this timeout setting. I am not sure i understood , but a round robin translation rule and a sticky setting should keep sources IP to the same destination server in the next connection…

I can see the src nodes (and my own IP) in the pfs statistics, but I get several ones with my own IP to different web real server (behind the carp VIP) and I still get loadbalanced on the 3 www when the states are expired (before the 4 minutes defined). My max src nodes are under the 10000 limit - 2000 - so I think this is something else.
I will continue to read pf howtos etc
Any piece of advice would be appreciated,

]]>https://forum.netgate.com/post/163651https://forum.netgate.com/post/163651Sat, 22 Dec 2007 09:11:09 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 22:22:51 GMT]]>Thanks, I'll update the code.  Please tell us how well this works.  At the least we can add it to 1.3 and HEAD with a system -> advanced tunable box.

]]>https://forum.netgate.com/post/163643https://forum.netgate.com/post/163643Fri, 21 Dec 2007 22:22:51 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 21:55:23 GMT]]>@youri:

Sorry but i got his (1.2 RC3)

There were error(s) loading the rules: /tmp/rules.debug:27: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [27]: set src.track 240…

I can read that in the /tmp/rules.debug

set src.track 240

Sorry

Here is the correct synthax

$rules .= "set timeout src.track 240\n";

The filter reloads, I will try it

Thanks a lot.

]]>https://forum.netgate.com/post/163641https://forum.netgate.com/post/163641Fri, 21 Dec 2007 21:55:23 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 21:49:46 GMT]]>Sorry but i got his (1.2 RC3)

There were error(s) loading the rules: /tmp/rules.debug:27: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [27]: set src.track 240…

I can read that in the /tmp/rules.debug

set src.track 240

]]>https://forum.netgate.com/post/163638https://forum.netgate.com/post/163638Fri, 21 Dec 2007 21:49:46 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 21:33:58 GMT]]>@sullrich:

This is a overall system setting.   Setting this value will apply to all WAN's.

Simply change 30 to 300 in the patch before applying.

Last question, is there a risk of states overload (RAM ?) playing with a too high timeout ?

]]>https://forum.netgate.com/post/163636https://forum.netgate.com/post/163636Fri, 21 Dec 2007 21:33:58 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 21:22:49 GMT]]>This is a overall system setting.  Setting this value will apply to all WAN's.

Simply change 30 to 300 in the patch before applying.

]]>https://forum.netgate.com/post/163635https://forum.netgate.com/post/163635Fri, 21 Dec 2007 21:22:49 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 21:00:44 GMT]]>Thanks a lot, I will give it a try.

My load balancer looks like this :

rdr inet proto tcp from any to 63.67.43.109 port = http -> { 52.41.76.140, 52.41.76.141, 52.41.76.142 } port 80 round-robin sticky-address

I would like an ip source tracking during 300 seconds to be sure I don't lose any sessions (like baskets etc)

When this patch is applied, does this mean I just need to add an allowing rule to the 3 real server with the src track option to be sure the load balanced connection will stay during 300 seconds ? What if the web server matching a source IP is down ?

Regards,
YP

]]>https://forum.netgate.com/post/163634https://forum.netgate.com/post/163634Fri, 21 Dec 2007 21:00:44 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 20:52:32 GMT]]>Try this patch.  It's very simple and we MIGHT be able to integrate it into 1.2 but I'll need to check with others on this.

Eclipse Workspace Patch 1.0

#P pfSense_RELENG_1_2
Index: etc/inc/filter.inc

RCS file: /cvsroot/pfSense/etc/inc/filter.inc,v
retrieving revision 1.575.2.368.2.57
diff -u -r1.575.2.368.2.57 filter.inc
–- etc/inc/filter.inc 5 Oct 2007 21:52:01 -0000 1.575.2.368.2.57
+++ etc/inc/filter.inc 21 Dec 2007 20:51:56 -0000
@@ -178,6 +178,7 @@
/* User defined maximum states in Advanced menu. */
$rules .= "set limit states {$config['system']['maximumstates']}\n";
}

  • $rules .= "set src.track 30\n";
    $rules .= "\n";

update_filter_reload_status("Setting up SCRUB information");

]]>https://forum.netgate.com/post/163633https://forum.netgate.com/post/163633Fri, 21 Dec 2007 20:52:32 GMT<![CDATA[Reply to Inside load balancing sticky timeout - src.track on Fri, 21 Dec 2007 20:49:13 GMT]]>Hi

I suppose I need to add a src.track timeout on my rule.
Is there an easy way to do it without breaking anything in the web interface ?

Regards

YP

]]>https://forum.netgate.com/post/163632https://forum.netgate.com/post/163632Fri, 21 Dec 2007 20:49:13 GMT