WAN Load-Balancing & Unexpected Internet Banking Problem


#1

Hi !

I’ve got unexpected problem with wan load-balancing and internet banking.
Bank web site server terminates connections because IP is switching.
Router from the beginning was initialized with

set load-balancing wan sticky connections inbound

However, banking sessions often take a long time, and outgoing IP is changing anyway.
What quick fix you could suggest? Internal PCs have fixed IPs, so actually only a traffic from a couple of PCs should be directed through wan1 or wan2. Filtering by bank IP is not possible, we use several banks, and their IPs may change over the time.

Thanks in advance for any suggestion(s).


Banking connection sticky to the interface
#2

Unfortunately the statement above makes only the one individual connection stick to a uplink. (I.e. if you initiate two connections to the same destination IP, they might end up using different uplinks, but all the packets pertaining to a particular connection will “stick” to the same uplink.)

Unfortunately there is no “easy” solution, especially since you can’t use the set firewall group network-group ... feature (which doesn’t directly help but might make things easier).

Thus you are left with only two alternatives (that I know of):

  • you identify (perhaps by asking the back’s techincal support or looking for their AS-information) their network address range; then you exclude this from the WAN load-balancing feature;

  • you use the same “custom script” I described in one of my previous posts: [solved] WAN load-balancing with `policy route` rules [previously: WAN load-balancing with 2 PPPoE connections with TCP-MSS clamping], which allows you to use normal firewall network-groups; then you write a script that, say each 6 minutes makes a DNS query for the bank’s DNS names (because they might be multiple used for the same application), and adds these in one of the IPsets behind the firewall network-groups feature used in exclusion;


#3

ciprian.craciun, thanks a lot for assistance!

I tried to fix this with policy-based routing linked to eth3.
eth3 - local PC clients, 192.168.0.xx net.
gw.isp2.xx.xx - gateway of ISP#2 for outgoing web traffic.

set policy route SRCROUTE-WWWOUT-SINTF
set policy route SRCROUTE-WWWOUT-SINTF rule 10 destination address 0.0.0.0/0
set policy route SRCROUTE-WWWOUT-SINTF rule 10 destination port http,https
set policy route SRCROUTE-WWWOUT-SINTF rule 10 source address 192.168.0.0/24
set policy route SRCROUTE-WWWOUT-SINTF rule 10 set table 1
set protocols static table 1 route 0.0.0.0/0 next-hop gw.isp2.xx.xx
set interfaces ethernet eth3 policy route SRCROUTE-WWWOUT-SINTF

It failed, outgoing web traffic stopped, I suspect “static table 1” somehow interference with something else. Can’t experiment in working busy environment for a long, disconnected one link. Kinda awkward, but have no other choice for now.


#4

I don’t know how VyOS translates the set interfaces ethernet eth3 policy route, but I bet it uses iptables. Therefore I doubt those rules would come before the WAN load-balancing policy ones.

(Could you paste the iptables -t nat -S and iptables -t mangle -S for reference?)


Moreover please note that the WAN load-balancing feature uses the tables starting from 1, thus including the one you have configured. Try to use another number, say 512 or above.

In order to see how the rules are applied use ip rule show and ip route show table X, where X is either default (should be empty), main or the number you have chosen.


Translation IP DNAT
#5

this credit to the original owner,this might give help to the issue

vyatta config

set interfaces ethernet eth0 address 192.168.100.15/24
set interfaces ethernet eth1 address 172.17.100.15/24
set interfaces ethernet eth2 address 10.1.100.1/24
commit
set protocols static route 0.0.0.0/0 next-hop 192.168.100.1
set protocols static route 0.0.0.0/0 next-hop 172.17.100.1
commit
set service nat rule 1 source address 10.1.100.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 type masquerade
commit
set service nat rule 2 source address 10.1.100.0/24
set service nat rule 2 outbound-interface eth1
set service nat rule 2 type masquerade
commit
set load-balancing wan interface-health eth0 failure-count 3
set load-balancing wan interface-health eth0 nexthop 192.168.100.1
set load-balancing wan interface-health eth0 test 10 ping
set load-balancing wan interface-health eth0 test 10 target 172.16.0.1
commit
set load-balancing wan interface-health eth1 failure-count 3
set load-balancing wan interface-health eth1 nexthop 172.17.100.1
set load-balancing wan interface-health eth1 test 10 ping
set load-balancinf wan interface-health eth1 test 10 target 172.16.0.1
commit
set load-balancing wan rule 10 inbound-interface eth2
set load-balancing wan rule 10 interface eth0
set load-balancing wan rule 10 interface eth1
commit
save

Checking

run show wan-load-balance
run show wan-load-balance connection


#6

Hi, Bruce,
This simplest load balance config, it will not solve banking issue.
Only policy based routing will.
Thanks for attention and help anyway.