On 2010-09-08, dontek <don...@gmail.com> wrote: > > I have a small issue with a particular website a client uses that does not > like the outbound load balancing I have put in place on their firewall. The > issue is, that form authentication to the site fails from the internal > network if the many requests the login generates get split between their two > ISP's. Accessing the website from the firewall itself does not incur the > same issue. > > I have put a band-aid on it by simply forcing all http traffic to that > particular site out only one of the ISP's. > > This works until that ISP fails and I have to down that route. While the > other route keeps internet access working, if the link that I have forced > this website to use is the one that dies, that site is no longer accessible > to the internal network.
Since it sounds like you have a method that changes the routing for the default gateway when a connection fails, can you just extend that to changing the routing or route-to rules for this site as well (place the rules in an anchor and switch them over?) > I am looking for suggestions for a more elegant solution. Ideally, I think > that when a host on the internal network requests a login to this particular > site, if all traffic from that particular internal host could be directed > through the same gateway it initiated the connection on, all would work with > this website over either ISP and with the load balancing. Looking at > tcpdump output, all traffic is standard http. I can't even begin to think how you would write that as a PF rule even if it were implemented.. > If you have any suggestions on how this might be accomplished, or have any > insight as to why this is happening, please respond. Seems like it's just as simple as the website not allowing a session to be split between multiple IP addresses. This is not particularly uncommon (though usually when people do this, it's for security concerns, so they would also use https rather than http).
