Problems with Load Balancing¶. Some websites store session information including the client IP address, and if a subsequent connection to that site is routed out a different WAN interface using a different public IP address, the website will not function properly. I have recently purchased dual 1Gbps fibre broadband which I am wanting to run via my ASUS RT-AC88U in Load Balance mode with a 1:1 ratio. I utilised LAN port 3 as my secondary WAN (leaving ports 1 & 2 free for NAS Link Aggregation when I purchase my NAS) but that's when some of the problems started. I do know that when most of the people on the internet enable dual WAN with load balancing, they still have a working internet connection, and those that are using 3G/4G modems report data usage on them. So, enabling 'load balancing', however it works, is directing some traffic through both connections, without breaking things entirely.
I've been running pfSense in Dual WAN mode for more than a decade. Unfortunately, some sites lately are quite sensitive per user session originating from multiple public IP addresses. The best description of the problem is from the official pfSense documentation:
Some websites store session information including the client IP address, and if a subsequent connection to that site is routed out a different WAN interface using a different public IP address, the website will not function properly. This is becoming more common with banks and other security-minded sites. The suggested means of working around this is to create a failover group and direct traffic destined to these sites to the failover group rather than a load balancing group. Alternately, perform failover for all HTTPS traffic.
The sticky connections feature of pf is intended to resolve this problem, but it has historically been problematic. It is safe to use, and should alleviate this, but there is also a downside to using the sticky option. When using sticky connections, an association is held between the client IP address and a given gateway, it is not based off of the destination. When the sticky connections option is enabled, any given client would not load balance its connections between multiple WANs, but it would be associated with whichever gateway it happened to use for its first connection. Once all of the client states have expired, the client may exit a different WAN for its next connection, resulting in a new gateway pairing.
After some testing and consideration let's leave the sticky connections unchecked. As mentioned above they are problematic.
Other description of the problem here:
Some websites do not work properly if requests from the LAN are initiated from multiple public IP addresses. Hence load balancing is incompatible with these sites. Common examples are sites that maintain login sessions, most frequently online banking. This is most commonly observed with HTTPS sites so usually HTTPS should not be load balanced. Occasionally it is a problem with HTTP sites that maintain session, but this is rare.
For sites that do not function with load balancing, add firewall rules to not load balance traffic to these destinations or protocols.
Asus Dual Wan Setup
To alleviate this issue, you can do the following:
Here are my two Gateways
Open the BMP you desire to edit. For an example, if you're using MS Paint, click on 'File' then. BMP Image Editor is a small and portable application that enables you to view, edit and analyze BMP images. Although it comes packed with just a few options, most of them are advanced, primarily.
Make two GatewayGroups
One for Load Balancing
Set for both Gateways Tier 1
One for Failover
Set Tire1 for the one and Tier 2 for the second
Go to the LAN Rules
Set the default LANrule to use the Load Balancing Gateway Group.
Asus Dual Wan Setup
To alleviate this issue, you can do the following:
Here are my two Gateways
Open the BMP you desire to edit. For an example, if you're using MS Paint, click on 'File' then. BMP Image Editor is a small and portable application that enables you to view, edit and analyze BMP images. Although it comes packed with just a few options, most of them are advanced, primarily.
Make two GatewayGroups
One for Load Balancing
Set for both Gateways Tier 1
One for Failover
Set Tire1 for the one and Tier 2 for the second
Go to the LAN Rules
Set the default LANrule to use the Load Balancing Gateway Group.
Python msvcrt for mac os. Add new rule that will be valid only for HTTPS connection and set the Gateway to the Fail-over Gateway Group.
This way all HTTPSconnections will pass through the First WAN until it goes down and failover to theSecond. The alternative is to makeseparate rule for each and every HTTPS site with issues. The rule will be verysimilar to the one for HTTPS. The difference will be that Destination address willbe single Public IP. Doing so will load balance all other HTTPS connection thatdon't have this problem.
Enable Dual Wan Asus
They are usefull in environments with multiple simultaneous connections, where different transfers can be routed over different external IP addresses, effectively doubling the combined speed of all simultaneous transfers. One notable exception is using P2P software, or other similar programs that open multiple connections for the same download.
The most common load balancing routers support per-destination or per-packet balancing. Per-destination load balancing means the router distributes the packets based on the destination address. Given two paths to the same network, all packets for destination1 on that network go over the first path, all packets for destination2 on that network go over the second path, and so on. This preserves packet order, with potential unequal usage of the links. If one host receives the majority of the traffic all packets use one link, which leaves bandwidth on other links unused.
Per-packet load-balancing means that the router sends one packet for destination1 over the first path, the second packet for (the same) destination1 over the second path, and so on. Per-packetload balancing guarantees equal load across all links. However, there is potential that the packets may arrive out of order at the destination because differential delay may exist within the network.
Some business grade routers may also support unequal cost load-balancing (IGRP and EIGRP routing processes), setting preferred routes, OSPF cost, BGP path selection algorithm, etc.
Note: Reportedly, some older residential dual-wan routers may have buggy implementations, causing some issues with VoIP,VPN and even SSL connections, especially if using per-packet balancing.
Asus Dual Wan Load Balance Problems -
rate: avg: I have a 'limited' dual WAN setup working with BitTorrent. A torrent client should be assigned to one WAN interface exclusively for it to work well. I use source local IP and source port ranges (set in advanced settings of µTorrent) to accomplish this, and have two clients seeding for each IP. Automatic load balancing where the client can establish connections via both WANs didn't work well enough. Remote peers eventually saw both of my IPs and tried to establish new connections to the one that was currently not connected to them. When my peer received the new connection, the previous one having the same peer-id was terminated, the peer was 'kicked' by my client, and the new connection took its time to ramp up to full speed (subject to latency and TCP slow start). The WAN interfaces kept switching around like this every few minutes. I use MikroTik 'Per Connection Classifier' to distribute other connections (not bittorrent). The 'both addresses' mode is the safest. A pair of hosts local and remote always use the same interface. |
