I know this has been beaten up before but I didn't see this particular issue
addressed.
I have dual firewalls (carp'd) with dual ISPs. I perform outbound load
balancing per the following lines in pf.conf:
nat on fxp0 from $lan_net to any -> (carp0)
nat on fxp1 from $lan_net to any -> (carp1)
pass in on fxp2 route-to { (fxp0 10.2.2.2), (fxp1 10.3.3.3) } round-robin
inet from $lan_net to any keep state
pass out on fxp0 all queue usert
pass out on fxp1 all queue usert
I have users connecting to certain https sites who have some issues. When
my users connect to the site they are load balanced and nat'd out my two
ISPs. So if the site uses cookies it seems to break the "session".
I tried,
pass in on fxp2 route-to { (fxp0 $ext_gw1), (fxp1 $ext_gw2) } round-robin
sticky-address proto tcp from $lan_net to any port 443 keep state
But this only seemed to keep a sticky address for each remote IP address.
If a site uses multiple IP addresses, say one for the main site and another
to process credit cards, my user might hit the main site with an ISP1
address and the processing site with an ISP2 address. This seems to confuse
the remote site, which resets the entire session. The theory is that the
site cookie is tied to the originating IP address. So, Is there an (easy)
way to ensure that are local IP address "always" uses the same ISP?
Currently, I gave up and resorted to,
pass in on $int_if route-to { (fxp0 $ext_gw1) } proto tcp from $lan_net to
any port 443 keep state
Thanks,
-Steve S.
