Https problems



  • Hello,
    I have a network with pfsense 2.1.5 and dual wan in load balancing.
    Due to the load balancing bug explained in another thread I had to jump on 2.2beta.
    Now load balancing seems to work.
    But several people are not able to access to https sites. For example all people use gmail on https. After some time half of them cannot access gmail (blank page, random error etc.)

    I supposed that it was a dual wan related problem but even when I disable second wan problem persists.

    Can you help me?

    Is is a beta problem? Is is not?

    Thanks,
    Mario



  • I notice now that I have automatic nat but automatic rules are created only for first wan. Is it ok?



  • It should generate the automatic NAT for every interface that has a gateway set (=WAN). Now in 2.2 there is hybrid NAT mode. You might have had manual outbound NAT set in 2.1.5 and so it is now stuck on just the manual NAT that is there. Maybe try deleting any NAT rules that it has and going back to just automatic. Look in /tmp/rules.debug and search for "NAT" to find what rules it really has implemented.
    If the users are load-balancing between 2 WANs then:

    1. If one of the WANs does not have NAT applied, then half the time their connections will not work.
    2. If a state times out when using Google mail etc, (like they do nothing for a while), then when the browser gets going again the comms might go out the other WAN. Google will see the comms coming from a different public IP and might make them login again…
      If that is happening, then put special traffic like this into a failover group - i.e. make it normally stick to 1 of the WANs. Happens a bit with email or banking sites that do not like the user switching around their public IP during a logged on session.


  • Hi again and thanks.
    Now I have checked nat and is all ok.
    I have tried also with failover and sticky connections but problem persists.
    What can I do? Can it be a bug?

    Thanks,
    Mario



  • Updating to latest beta and putting https only on wan1 have solved the problem. I close the post.


Log in to reply