Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing
Hi, u should also have a look at the state trimming – sloppy. If ur packets go different ways, u always should use sloppy states with PortFilter. U can Use different GWs for HTTPS btw. Just try to tag ur packets “sloppy” in the ruleset. -m. Von: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] Im Auftrag von Diego Barrios Gesendet: Mittwoch, 20. Februar 2013 02:52 An: pfSense support and discussion Betreff: Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing This option Sticky Connections doesn`t wotk for dual-wan load balance, it`s made for the Balancer (load balance between two or more internal webservers from outside world for example). You should force HTTPS to always use the same link instead (just create a gateway group with WAN Tier1 and OPT1 Tier2 in this case). Seko From: Stefan Baur newsgroups.ma...@stefanbaur.demailto:newsgroups.ma...@stefanbaur.de To: list@lists.pfsense.orgmailto:list@lists.pfsense.org Sent: Tuesday, February 19, 2013 7:26:23 PM Subject: Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing Am 19.02.2013 23:06, schrieb Stefan Baur: You may find enabling 'sticky connections' in Advanced Settings might do what you wish. That's not quite where I would have searched for it, but it's great that the feature already exists. Thanks for the pointer! :-) Seems I was a little trigger-happy here. Changing the setting didn't alter the behavior. I also rebooted the pfSense box just to make sure, but it doesn't help. :-( And this is even happening on web sites that offer a keep me logged in for two weeks checkbox similar to what Google Mail does. (I usually don't use these checkboxes but just gave it a try, to see if it changes anything.) -Stefan ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing
I'm using 2.0.1-RELEASE, in a dual-WAN configuration with loadbalancing. Some websites that require a login apparently do not like that, as I'm constantly being asked to re-authenticate. Is there a way to make pfSense remember the pairs of source and destination IP, and only use the other WAN interface after a timeout of 5 minutes or so has been exceeded, if the same IP pairs want to talk to each other again? You may find enabling 'sticky connections' in Advanced Settings might do what you wish. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing
On 2/19/2013 1:54 PM, Chris Bagnall wrote: I'm using 2.0.1-RELEASE, in a dual-WAN configuration with loadbalancing. Some websites that require a login apparently do not like that, as I'm constantly being asked to re-authenticate. Is there a way to make pfSense remember the pairs of source and destination IP, and only use the other WAN interface after a timeout of 5 minutes or so has been exceeded, if the same IP pairs want to talk to each other again? You may find enabling 'sticky connections' in Advanced Settings might do what you wish. Kind regards, Chris I also had this issue while back. But I solved it differently (although sticky connections would fix this for sure). I made the assumption that most websites are using https for authentication. So I forced https traffic through a fail-over routing group instead of load balancing. For me turning on sticky connections prevents connection load-balancing for torrents, and other multi-part downloads (ex. Steam and Origin game clients). -- Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing
Am 19.02.2013 23:06, schrieb Stefan Baur: You may find enabling 'sticky connections' in Advanced Settings might do what you wish. That's not quite where I would have searched for it, but it's great that the feature already exists. Thanks for the pointer! :-) Seems I was a little trigger-happy here. Changing the setting didn't alter the behavior. I also rebooted the pfSense box just to make sure, but it doesn't help. :-( And this is even happening on web sites that offer a keep me logged in for two weeks checkbox similar to what Google Mail does. (I usually don't use these checkboxes but just gave it a try, to see if it changes anything.) -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing
On 19 Feb 2013, at 22:30, - Dickie Bradford - dbradf...@never-enuff.net wrote: I had the same issue with https and constantly having to re-login, the way i worked around it was to force all https connections out the fastest wan link. Its not ideal , but it was the only way I found to address it. This is usually the approach I take. An alternative - assuming your network traffic is fairly evenly spread amongst a number of similar clients - might be to alternate WAN links based on source rather than destination. For example, x.y.z.1 goes via WAN1, x.y.z.2 goes via WAN2, x.y.z.3 via WAN1, etc. etc. Having said that, I've found the best approach is often to choose the WAN link based on service (i.e. port). Most people don't mind if their HTTP requests are a bit slower than usual when things are busy, but people get very upset when time-critical traffic is delayed - SSH terminals become virtually unusable, VoIP is all but impossible, etc.. So you may be able to achieve a better user experience by routing HTTP down one connection and everything else down the other connection. In extremis, you might even have a separate connection purely for torrents and the like. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing
This option Sticky Connections doesn`t wotk for dual-wan load balance, it`s made for the Balancer (load balance between two or more internal webservers from outside world for example). You should force HTTPS to always use the same link instead (just create a gateway group with WAN Tier1 and OPT1 Tier2 in this case). Seko - Original Message - From: Stefan Baur newsgroups.ma...@stefanbaur.de To: list@lists.pfsense.org Sent: Tuesday, February 19, 2013 7:26:23 PM Subject: Re: [pfSense] 2.0.1-RELEASE, dual-WAN with loadbalancing Am 19.02.2013 23:06, schrieb Stefan Baur: You may find enabling 'sticky connections' in Advanced Settings might do what you wish. That's not quite where I would have searched for it, but it's great that the feature already exists. Thanks for the pointer! :-) Seems I was a little trigger-happy here. Changing the setting didn't alter the behavior. I also rebooted the pfSense box just to make sure, but it doesn't help. :-( And this is even happening on web sites that offer a keep me logged in for two weeks checkbox similar to what Google Mail does. (I usually don't use these checkboxes but just gave it a try, to see if it changes anything.) -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list