Inside load balancing sticky timeout - src.track
-
Is it possible to keep web sessions during 600 seconds to the same websever inside a web farm (depending on the source IP) ?
The sticky feature runs as long as we have states , I tried to use a special rule with a 600 seconds state in the advanced option, in order to keep long sates, but the LB still balance inside connections after a few seconds.
I would be interested in a work around or an experimental patch ?
Regards,
–
YP -
Hi
I suppose I need to add a src.track timeout on my rule.
Is there an easy way to do it without breaking anything in the web interface ?Regards
–
YP -
Try this patch. It's very simple and we MIGHT be able to integrate it into 1.2 but I'll need to check with others on this.
Eclipse Workspace Patch 1.0
#P pfSense_RELENG_1_2
Index: etc/inc/filter.incRCS file: /cvsroot/pfSense/etc/inc/filter.inc,v
retrieving revision 1.575.2.368.2.57
diff -u -r1.575.2.368.2.57 filter.inc
–- etc/inc/filter.inc 5 Oct 2007 21:52:01 -0000 1.575.2.368.2.57
+++ etc/inc/filter.inc 21 Dec 2007 20:51:56 -0000
@@ -178,6 +178,7 @@
/* User defined maximum states in Advanced menu. */
$rules .= "set limit states {$config['system']['maximumstates']}\n";
}- $rules .= "set src.track 30\n";
$rules .= "\n";
update_filter_reload_status("Setting up SCRUB information");
- $rules .= "set src.track 30\n";
-
Thanks a lot, I will give it a try.
My load balancer looks like this :
rdr inet proto tcp from any to 63.67.43.109 port = http -> { 52.41.76.140, 52.41.76.141, 52.41.76.142 } port 80 round-robin sticky-address
I would like an ip source tracking during 300 seconds to be sure I don't lose any sessions (like baskets etc)
When this patch is applied, does this mean I just need to add an allowing rule to the 3 real server with the src track option to be sure the load balanced connection will stay during 300 seconds ? What if the web server matching a source IP is down ?
Regards,
YP -
This is a overall system setting. Setting this value will apply to all WAN's.
Simply change 30 to 300 in the patch before applying.
-
This is a overall system setting. Setting this value will apply to all WAN's.
Simply change 30 to 300 in the patch before applying.
Last question, is there a risk of states overload (RAM ?) playing with a too high timeout ?
-
Sorry but i got his (1.2 RC3)
There were error(s) loading the rules: /tmp/rules.debug:27: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [27]: set src.track 240…
I can read that in the /tmp/rules.debug
set src.track 240
-
Sorry but i got his (1.2 RC3)
There were error(s) loading the rules: /tmp/rules.debug:27: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [27]: set src.track 240…
I can read that in the /tmp/rules.debug
set src.track 240
Sorry
Here is the correct synthax
$rules .= "set timeout src.track 240\n";
The filter reloads, I will try it
Thanks a lot.
-
Thanks, I'll update the code. Please tell us how well this works. At the least we can add it to 1.3 and HEAD with a system -> advanced tunable box.
-
It doesn't work as I would want.
I spent quiet a long time on pf docs and suppose this setting should keep the real server IP during this timeout setting. I am not sure i understood , but a round robin translation rule and a sticky setting should keep sources IP to the same destination server in the next connection…I can see the src nodes (and my own IP) in the pfs statistics, but I get several ones with my own IP to different web real server (behind the carp VIP) and I still get loadbalanced on the 3 www when the states are expired (before the 4 minutes defined). My max src nodes are under the 10000 limit - 2000 - so I think this is something else.
I will continue to read pf howtos etc
Any piece of advice would be appreciated,